fw4: support sets with timeout capability but without default expiry

Configure the set timeout flag explicitly and do not rely on nftables
inferring it from the defualt timeout value.

This allows treating uci `option timeout 0` specially, means enabling
the timeout capability flag on a set but do not emit a `timeout`
statement.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>

2 files changed, 10 insertions, 2 deletions

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index a09cb1f..eaa1f04 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -53,13 +53,15 @@ table inet fw4 {
 {%   if (set.maxelem > 0): %}
 		size {{ set.maxelem }}
 {%   endif %}
-{%   if (set.timeout >= 0): %}
+{%   if (set.timeout > 0): %}
 		timeout {{ set.timeout }}s
 {%   endif %}
 {%   if (set.interval): %}
-		flags interval
 		auto-merge
 {%   endif %}
+{%   if (set.flags): %}
+		flags {{ join(',', set.flags) }}
+{%   endif %}
 {%   fw4.print_setentries(set) %}
 	}
 
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 85456c9..e6bd365 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -3219,6 +3219,12 @@ return {
 			interval: interval
 		};
 
+		if (s.interval)
+			push(s.flags ??= [], 'interval');
+
+		if (s.timeout >= 0)
+			push(s.flags ??= [], 'timeout');
+
 		s.entries = filter(map(ipset.entry, (e) => {
 			let v = this.parse_ipsetentry(e, s);