netfilter buglog - Oct 2020 - [Bug 1477] New: Unable to use saved ruleset when using dynamic sets

https://bugzilla.netfilter.org/show_bug.cgi?id=1477

            Bug ID: 1477
           Summary: Unable to use saved ruleset when using dynamic sets
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sunkan+bugs.netfilter at zappa.cx

Tested on Debian Buster with nftables package from backports.

root at debian10:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
root at debian10:/tmp# nft -v
nftables v0.9.6 (Capital Idea #2)
root at debian10:/tmp# uname -a
Linux debian10 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
GNU/Linux
root at debian10:/tmp# 


Here follows a way to reproduce the problem:

root at debian10:/tmp# nft list ruleset
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root at debian10:/tmp# ping -4 localhost -c 2
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.046 ms

--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 15ms
rtt min/avg/max/mdev = 0.046/0.048/0.050/0.002 ms
root at debian10:/tmp# nft list ruleset | tee /tmp/unable-to-load.nft
table inet filter {
        set ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1m
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit
rate over 1/minute }
        }
}
root at debian10:/tmp# nft -f /tmp/unable-to-load.nft 
/tmp/unable-to-load.nft:7:43-47: Error: syntax error, unexpected limit,
expecting comma or '}'
                elements = { 127.0.0.1 expires 38s800ms limit rate over
1/minute }
                                                        ^^^^^
root at debian10:/tmp# 


Note: Using "nft -t list ruleset" works but if also using regular sets
with
static members those would not be saved so not really a proper workaround.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201026/e1f2a618/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1477

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201105/456e8666/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1477

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

--- Comment #1 from kfm at plushkava.net ---
Just to add that nftables 0.9.7 remains affected.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201201/63b9c78d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1477

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20201202173306.23871-1-pablo
at netfilter.org/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201202/5a79908a/attachment.html>