<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - sets: timeout+counter"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1493">bug 1493</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Status</td>
           <td>NEW
           </td>
           <td>ASSIGNED
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - sets: timeout+counter"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1493#c1">Comment # 1</a>
              on <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - sets: timeout+counter"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1493">bug 1493</a>
              from <span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>
</span></b>
        <pre>Kernel patch to fix the missing counters:

<a href="https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116180313.16943-1-pablo@netfilter.org/">https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116180313.16943-1-pablo@netfilter.org/</a>

It applies to 5.11-rc, I will send a backport to request inclusion in -stable
kernels.

There is another issue, the timeout policy is not displayed when listing (only
the expiration), which results in skipping the timeout policy next time you
reload the listing, another patch:

<a href="https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116182932.737-1-pablo@netfilter.org/">https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116182932.737-1-pablo@netfilter.org/</a>

Until these patches get into the kernel, I can provide a workaround for you:

- Set on the dynamic flag in your set definition, this is convenient since this
specifies that the set is updated from the packet path.

    set tst {
        type ipv4_addr
        size 8
        flags timeout,dynamic
        counter
    }

- Specify counter in the set statement:

tcp dport 1111 add @tst { ip daddr timeout 5m counter }

it's kind of redundant, but it will work until kernels honor the set definition
containing the counter.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>