On Mon, Mar 09, 2020 at 07:35:15PM -0400, Frank Myhr wrote:
> Hi,
>
> I've created a ruleset that contains several dynamic sets with counters that
> are incremented from the packet path using rules like:
> update @suspect { ip saddr counter }
>
> After awhile in operation, "nft list ruleset" produces output like:
> table ip ip_filter {
> set suspect {
> type ipv4_addr
> size 65535
> flags dynamic,timeout
> timeout 30d
> gc-interval 1d
> elements = { 1.2.3.4 expires 19d23h52m27s576ms counter packets 51 bytes
> 17265 }
> }
>
> But "nft -f" then chokes when loading the saved ruleset, with
> "Error: syntax error, unexpected counter, expecting comma or '}'".
>
> For now I can use sed to blank the counter text before reloading the ruleset
> (as after reboot). That's bit clunky, and obviously loses the counter
> values.
>
> I do want to keep the dynamically-added elements across reboot. Is there a
> better way to do so?
Not yet, this is incomplete. I have a unfinished patchset here in a
branch.
