[SOLVED] Cannot flush nftable element's set

Cannot flush nftable element's set

I am actually learning to use nftables on a test environment and I'm actually working with nftables sets. I was on version 0.7 and since my tests weren't working I updated to 0.9.4 version but my problem was still the same.

I can create my sets on my table without any problems. And my set elements must contain ipv4 adresses. I worked with nftables tables, chains and sets without problems, my rules worked etc...

So what I want to do but can't find how to do it is to delete all my set's elements without precising the ipv4 addresses one by one.

Let's say my table's name is test and my set name's is tmp with an ipv4_addr type, my configuration will looks like that:

table ip test {
        set tmp {
                type ipv4_addr
        }
}

I can add element to this set successfully with this command:

nft add element ip test tmp { 10.10.10.10 }

Now what I want to do is to delete all the elements of my set, I looked in the man page of nft and it say that I can flush all elements from my set with the flush command:

SETS
[...]
flush    Remove all elements from the specified set.

So I tried this command to delete all my elements from my set:

nft flush set test tmp

But it returns me this error:

Error: Could not process rule: Invalid argument
flush set test tmp
^^^^^^^^^^^^^^^^^^^

I tried a lot of commands in the same way (adding table before set, not precising the table), it always returns me an error, but not every time the same.

I think I must do something wrong but I can't figure what. If you have any idea please? I will be very thankful!

Maybe my overall configuration is bad and I must not think of sets that way?

And if it's not possible to flush the elements from a set, is there a way to delete all elements from a set (besides defining a flag timeout)?

Sorry if my message isn't clear, I'm french and it's a little hard writing in an other language to describe a problem...

Thanks!

Regards.

Solution

The Netfilter team provided this answer:

The flush option for a set only works from Linux 4.10 onwards, and my version was below.

I found a way to flush the table anyway with these commands on Debian if you are interested:

Store the elements from the set in variable:

ip_elements=$(nft list set test tmp | awk '/{ /,/}/' | cut -d '=' -f 2)

Delete the elements with the delete command

nft delete element test tmp ${ip_elements}