parser: allow to load stateful ct connlimit elements in sets

This patch fixes a syntax error after loading a nft
dump with a set including stateful ct connlimit elements.

Having a nft dump as per below:

table ip nftlb {
	set connlimit-set {
		type ipv4_addr
		size 65535
		flags dynamic
		elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
		             173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20  }
	}
}

The syntax error is shown when loading the ruleset.

root# nft -f connlimit.nft
connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}'
		elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
		                            ^^
connlimit.nft:16000:9-22: Error: syntax error, unexpected string
			     173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20  }
			     ^^^^^^^^^^^^^^

After applying this patch a kernel panic is raised running
nft_rhash_gc() although no packet reaches the set.

The following patch [0] should be used as well:

4d8f9065830e5 ("netfilter: nftables: clone set element expression template")

Note that the kernel patch will produce the emptying of the
connection tracking, so the restore of the conntrack states
should be considered.

[0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
new file mode 100755
index 00000000..4f95f383
--- /dev/null
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	set est-connlimit {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		elements = { 84.245.120.167 ct count over 20 }
+	}
+}"
+
+$NFT -f - <<< $RULESET