Happy new year team! I just wanted to ping status on this. Thank you! -MikeD ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ *From:* Mike Dillinger [mailto:miked@xxxxxxxxxxxxxx] *To:* netfilter@xxxxxxxxxxxxxxx *Date:* Thursday, December 10, 2020, 9:35 AM PST *Subject:* nftables Set Bug with interval & timeout Flags Greetings netfilter team, I believe I have stumbled on a bug with nftables named sets. I'm seeing timeout values are lost for named set elements upon reboot or service restart, and it reverts to the default timeout setting for the set. I only observe this behavior when the interval flag is present. I have been able to reproduce reliably and I have included reproduction steps. It is also worth noting that this is only an issue if the interval flag is present. For named sets without the interval flag, timeouts are preserved across reboots and service restarts as expected. However, I'm interested in using the interval flag to specify CIDR's and IP ranges. Step 1: Create a set with interval and timeout flags, some other options as well $ nft add set ip filter test2 {type ipv4_addr \; flags timeout,interval \; timeout 10m \; gc-interval 1m\; counter\;} $ nft list set ip filter test2 table ip filter { set test2 { type ipv4_addr flags interval,timeout counter timeout 10m gc-interval 1m } } Step 2: Add a couple of elements to set; One will be a single IP and one will be a CIDR/range $ nft add element ip filter test2 { 1.1.1.1 } $ nft add element ip filter test2 { 8.8.8.0/24 } $ nft list set ip filter test2 table ip filter { set test2 { type ipv4_addr flags interval,timeout counter timeout 10m gc-interval 1m elements = { 1.1.1.1 expires 9m45s348ms counter packets 0 bytes 0, 8.8.8.0/24 expires 9m55s816ms counter packets 0 bytes 0 } } } Step 3: Lets pause to allow the timers to decrement somewhat and then backup the nftables config so we can restore it $ rm -f /etc/nftables.conf && nft list ruleset > /etc/nftables.conf $ grep --after-context 7 test2 /etc/nftables.conf set test2 { type ipv4_addr flags interval,timeout counter timeout 10m gc-interval 1m elements = { 1.1.1.1 expires 6m4s752ms counter packets 0 bytes 0, 8.8.8.0/24 expires 6m15s220ms counter packets 0 bytes 0 } } Step 4: Now restart nftables and observe the failure condition $ systemctl restart nftables.service $ nft list set ip filter test2 table ip filter { set test2 { type ipv4_addr flags interval,timeout counter timeout 10m gc-interval 1m elements = { 1.1.1.1 expires 9m48s864ms counter packets 0 bytes 0, 8.8.8.0/24 expires 9m48s864ms counter packets 0 bytes 0 } } } Note the timers reset when the service restarted even though they were saved to /etc/nftables.conf. And again, this behavior is only present when the interval flag is set. I have other sets of type ipv4_addr not using the interval flag and those timers are preserved on reset/reboot. Hopefully I'm doing something wrong, but if not, please let me know your thoughts. Here is some information regarding my setup (Debian testing): $ uname -a Linux rockenfield 5.9.0-4-amd64 #1 SMP Debian 5.9.11-1 (2020-11-27) x86_64 GNU/Linux $ nft -V nftables v0.9.7 (Anyface) cli: readline json: yes minigmp: no libxtables: yes Thanks! -MikeD
