netfilter buglog - May 2017 - [Bug 1153] New: Sets with timeouts can be saved to a file but not reloaded

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

            Bug ID: 1153
           Summary: Sets with timeouts can be saved to a file but not
                    reloaded
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: bugzilla at piven.net

I have a set defined as

    set ssh_attack_hosts {
        type ipv4_addr
        flags timeout
    }

and have an external program write entries into this set using something like

nft add element firewall ssh_attack_hosts { 10.10.10.10 timeout 1d }

This works fine and if I "nft list set firewall
ssh_attack_hosts
>saved.set.file", I get a file containing something like
table ip firewall {
    set ssh_attack_hosts {
        type ipv4_addr
        flags timeout
        elements = { 10.10.10.10 timeout 1d expires 23h54m29s}
    }
}

However, if I try to read that set back into nftables (nft -f saved.set.file),
nft complains about the existence of the "expires" information:

saved.set.file:5:56-62: Error: syntax error, unexpected string, expecting comma
or '}'
        elements = { 10.10.10.10 timeout 1d expires 23h54m29s}
                                                    ^^^^^^^

(The ^^^ is under "expires" if the wrapping pixies are misbehaving.)

My expectation is that the expiration time should be read and saved in the
set... is this a reasonable expectation?

(This is with nft 0.7.)

Thanks! -- Don

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170531/770f679b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |rvarsha016 at gmail.com

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Cc'ing Varsha (Outreachy intern), who will be taking care of this fixing up
this bug.

Rationale is, we have a nft '-s' option that means 'dump things in
stateless'
format.

This option seems not be working for the 'expires' thing in sets. If -s
is
requested, we should just not print this.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170601/57c9e2a4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I have pushed this into git.netfilter.org:

http://git.netfilter.org/nftables/commit/?id=37988cf255e51efba0d81dbc43eb4f0a41e99813

So basically, this allows you save a ruleset via:

# nft -s list ruleset > ruleset.nft

using `-s' option, that dumps your ruleset with no stateful information that
you can easily restore.

Please, don't close this bug. I would like that we also support stateful
restore at some point, so people can save some pending timers to reboot, then
reload timers with their states (ie. including expires).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170606/2a5e0f2e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

--- Comment #3 from Don Piven <bugzilla at piven.net> ---
Finally had a chance to build the latest nftables with your patch -- the nft -s
solution works fine for my use.

Eventually I think nft -f should do something useful with all the info
generated by nft list and thus have nft list be symmetric with nft -f, but
being able to use nft -s to omit the stateful info still gets me what I need
(reloading the IP addresses sans timeouts).

Thanks for the quick work!

Don

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170611/b774d173/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200129/d3dea2a8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1153

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Fix upstream:

commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Mar 11 13:00:01 2020 +0100

    src: support for restoring element counters

This allows to restore the set element expiration.

No need to use the -s workaround anymore.

Closing, thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/576f5c99/attachment-0001.html>