[Bug 1716] The -s option does not always exclude stateful information for sets

Wed Oct 25 13:37:21 CEST 2023

https://bugzilla.netfilter.org/show_bug.cgi?id=1716

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to kfm from comment #0)
> All of the following examples concern the exact same loaded ruleset.
> 
> Here is an example of stateful information being properly omitted.
> 
> # nft -s list set netdev filter block_bogons | head -n6
> table netdev filter {
>         set block_bogons {
>                 type ipv4_addr
>                 flags interval,timeout
>                 timeout 1d
>                 elements = { 0.0.0.0/8, 10.0.0.0/8,
> 
> Here is an example of stateful information not being omitted, despite the
> use of the -s option. The second address has been obfuscated for reasons of
> privacy.
> 
> # nft -s list set netdev filter dropped | head -n7
> table netdev filter {
>         set dropped {
>                 type ipv4_addr . ipv4_addr
>                 size 65535
>                 flags dynamic,timeout
>                 timeout 1h
>                 elements = { 146.88.240.17 . ___________ timeout 1h,

-s/--stateful strips off 'expires' from the listing which tells you how much
time is left for this element to expire. The 'timeout' specify the timeout for
this element which might different from the default timeout.

> Here is another example of stateful information not being omitted. The
> addresses have been obfuscated for reasons of privacy.
> 
> # nft -s list set ip filter meter_client | head -n7
> table ip filter {
>         set meter_client {
>                 type ipv4_addr
>                 size 131070
>                 flags dynamic,timeout
>                 timeout 2m30s
>                 elements = { ______________ limit rate 12/minute burst 30
> packets timeout 2m30s, _____________ limit rate 12/minute burst 30 packets
> timeout 2m30s,
>
> The expected outcome is that specifying the -s option consistently excludes
> the stateful information associated with the set elements.

This shows 'limit rate' policy which does not exposed any internal stateful
information such as current tokens in the bucket compared to counter and quota.

Not related to this report but it should be possible to strip off 'timeout'
when it is the same as the default set timeout, to avoid repetitive printing of
the same timeout for every element, ie. only expires would be shown. In such
case, if -s/--stateful is specified, then expires would not be not shown.

For the record, 'expires' is stripped off from -s/--stateful since:

commit 37988cf255e51efba0d81dbc43eb4f0a41e99813
Author: Varsha Rao <rvarsha016 at gmail.com>
Date:   Tue Jun 6 11:55:40 2017 +0530

    src: Remove expire information from list stateless ruleset.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/1d4de092/attachment.html>