bugzilla-daemon at netfilter.org
2017-May-31 01:05 UTC
[Bug 1153] New: Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 Bug ID: 1153 Summary: Sets with timeouts can be saved to a file but not reloaded Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: bugzilla at piven.net I have a set defined as set ssh_attack_hosts { type ipv4_addr flags timeout } and have an external program write entries into this set using something like nft add element firewall ssh_attack_hosts { 10.10.10.10 timeout 1d } This works fine and if I "nft list set firewall ssh_attack_hosts>saved.set.file", I get a file containing something liketable ip firewall { set ssh_attack_hosts { type ipv4_addr flags timeout elements = { 10.10.10.10 timeout 1d expires 23h54m29s} } } However, if I try to read that set back into nftables (nft -f saved.set.file), nft complains about the existence of the "expires" information: saved.set.file:5:56-62: Error: syntax error, unexpected string, expecting comma or '}' elements = { 10.10.10.10 timeout 1d expires 23h54m29s} ^^^^^^^ (The ^^^ is under "expires" if the wrapping pixies are misbehaving.) My expectation is that the expiration time should be read and saved in the set... is this a reasonable expectation? (This is with nft 0.7.) Thanks! -- Don -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170531/770f679b/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-01 09:41 UTC
[Bug 1153] Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |rvarsha016 at gmail.com --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Cc'ing Varsha (Outreachy intern), who will be taking care of this fixing up this bug. Rationale is, we have a nft '-s' option that means 'dump things in stateless' format. This option seems not be working for the 'expires' thing in sets. If -s is requested, we should just not print this. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170601/57c9e2a4/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-06 16:25 UTC
[Bug 1153] Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- I have pushed this into git.netfilter.org: http://git.netfilter.org/nftables/commit/?id=37988cf255e51efba0d81dbc43eb4f0a41e99813 So basically, this allows you save a ruleset via: # nft -s list ruleset > ruleset.nft using `-s' option, that dumps your ruleset with no stateful information that you can easily restore. Please, don't close this bug. I would like that we also support stateful restore at some point, so people can save some pending timers to reboot, then reload timers with their states (ie. including expires). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170606/2a5e0f2e/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-11 01:20 UTC
[Bug 1153] Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 --- Comment #3 from Don Piven <bugzilla at piven.net> --- Finally had a chance to build the latest nftables with your patch -- the nft -s solution works fine for my use. Eventually I think nft -f should do something useful with all the info generated by nft list and thus have nft list be symmetric with nft -f, but being able to use nft -s to omit the stateful info still gets me what I need (reloading the IP addresses sans timeouts). Thanks for the quick work! Don -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170611/b774d173/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-29 00:01 UTC
[Bug 1153] Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200129/d3dea2a8/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 19:56 UTC
[Bug 1153] Sets with timeouts can be saved to a file but not reloaded
https://bugzilla.netfilter.org/show_bug.cgi?id=1153 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Fix upstream: commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85 Author: Pablo Neira Ayuso <pablo at netfilter.org> Date: Wed Mar 11 13:00:01 2020 +0100 src: support for restoring element counters This allows to restore the set element expiration. No need to use the -s workaround anymore. Closing, thanks for reporting. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/576f5c99/attachment-0001.html>
Apparently Analagous Threads
- what is the recommended samba version on solaris?
- [Bug 1431] New: flush set doesn't work as expected in script
- [Bug 1114] New: set: Can't add elements after flushing a full set with size description
- remove 0 rows from a data frame
- [Bug 1213] New: Nft stateless NAT (NOTRACK)