[Bug 1477] New: Unable to use saved ruleset when using dynamic sets

Mon Oct 26 14:16:38 CET 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1477

            Bug ID: 1477
           Summary: Unable to use saved ruleset when using dynamic sets
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sunkan+bugs.netfilter at zappa.cx

Tested on Debian Buster with nftables package from backports.

root at debian10:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
root at debian10:/tmp# nft -v
nftables v0.9.6 (Capital Idea #2)
root at debian10:/tmp# uname -a
Linux debian10 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
GNU/Linux
root at debian10:/tmp# 

Here follows a way to reproduce the problem:

root at debian10:/tmp# nft list ruleset
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root at debian10:/tmp# ping -4 localhost -c 2
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.046 ms

--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 15ms
rtt min/avg/max/mdev = 0.046/0.048/0.050/0.002 ms
root at debian10:/tmp# nft list ruleset | tee /tmp/unable-to-load.nft
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root at debian10:/tmp# nft -f /tmp/unable-to-load.nft 
/tmp/unable-to-load.nft:7:43-47: Error: syntax error, unexpected limit,
expecting comma or '}'
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
                                                        ^^^^^
root at debian10:/tmp# 

Note: Using "nft -t list ruleset" works but if also using regular sets with
static members those would not be saved so not really a proper workaround.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201026/e1f2a618/attachment.html>