Mike Dillinger <miked@xxxxxxxxxxxxxx> wrote: > I've recently switched from iptables to nftables. I'm using netfilters v0.9.1 on Debian bullseye/sid (testing). I've come across an issue and would like to know if this is intentional or if it is a bug. I tried to set up a new account in Bugzilla, but the initial email has not come through after waiting for a few hours and I'm not hopeful it will arrive. > > I have a set called blacklist4 that has a timeout value. I have another script that monitors my syslog and other activity and will add IP's to blacklist4 if they meet certain undesirable criteria. That's all working great. > > Now comes a reboot or shutdown. I save the nftables ruleset to /etc/nftables.conf to maintain persistence. The blacklist4 values are saved and the expire statement is saved as well. When nftables starts at boot, it complains about the expire statement being present and will not load /etc/nftables.conf. > > Ex: > table ip filter { > set blacklist4 { > type ipv4_addr > timeout 10d > elements = { 1.1.1.1 expires 9d23h59m54s624ms, 2.2.2.2 expires 9d23h59m54s624ms, > ... > > When I call `nft -f /etc/nftables.conf`, it errors out on the expires statement upon restoration. > > So I'm wondering if this is intended behavior or not. I'd ideally like to have my blacklist4 set persistent across boots and service restarts but I can work some script magic to strip them out if this is intentional. The ability to restore the expires value was added a few days after the 0.9.1 release. You can use nft -s (stateless) for the time being, or switch to nftables master branch from git.netfilter.org.