<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Unable to use saved ruleset when using dynamic sets"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1477">1477</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Unable to use saved ruleset when using dynamic sets
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>sunkan+bugs.netfilter@zappa.cx
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Tested on Debian Buster with nftables package from backports.

root@debian10:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
root@debian10:/tmp# nft -v
nftables v0.9.6 (Capital Idea #2)
root@debian10:/tmp# uname -a
Linux debian10 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
GNU/Linux
root@debian10:/tmp# 


Here follows a way to reproduce the problem:

root@debian10:/tmp# nft list ruleset
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root@debian10:/tmp# ping -4 localhost -c 2
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.046 ms

--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 15ms
rtt min/avg/max/mdev = 0.046/0.048/0.050/0.002 ms
root@debian10:/tmp# nft list ruleset | tee /tmp/unable-to-load.nft
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root@debian10:/tmp# nft -f /tmp/unable-to-load.nft 
/tmp/unable-to-load.nft:7:43-47: Error: syntax error, unexpected limit,
expecting comma or '}'
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
                                                        ^^^^^
root@debian10:/tmp# 


Note: Using "nft -t list ruleset" works but if also using regular sets with
static members those would not be saved so not really a proper workaround.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>