nftables: Strange Error When Adding Element to Named Set

nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

Hello,

This has been a problem since my kernel was upgraded to 5.6. Everything was fine prior to that where I was running the 5.5 kernel.

I'm running Debian testing and here is some information regarding my system:
$ uname -a
Linux rockenfield 5.6.0-1-amd64 #1 SMP Debian 5.6.7-1 (2020-04-29) x86_64 GNU/Linux
$ nft -v
nftables v0.9.4 (Jive at Five)

I have a script that blocks IP's by adding them to a named set, and the named set has a 12 hour expiration.  After about a day of uptime, I start getting the following error.  I'm obfuscating the IP address with "a.b.c.d".

$ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
Error: Could not process rule: File exists
add element ip filter blacklist4-ip-12h { a.b.c.d }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I can check the named set and no such IP address exists, and double checked using grep.  Here's the kicker: if I reboot, it works fine. The blacklist4-ip-12h set has 191 IP's so it shouldn't be a matter of too many IP's.  I've had up to 300 in the set before with no problems.  If I had too many IP's, I'd expect the same behavior after a reboot which is not the case.  It's not an issue with any particular IP address; rather it disallows anything being added to the named set entirely.  Here are the properties of the set in case something is wrong there:

     set blacklist4-ip-12h {
         type ipv4_addr
         flags interval,timeout
         timeout 12h
         gc-interval 1m
     }

If the set properties look OK, then I'm fairly confident this is a bug.  I wanted to know if it's a kernel issue or an nftables issue, and also where to go to file a bug, and I can take it from there. I'm not sure when nftables was upgraded if we're suspecting nftables.  I'd need to do some digging.

Any help is greatly appreciated.  Having to reboot daily to work around this issue is not desirable.

Thank you!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Pablo Neira Ayuso]

On Fri, May 08, 2020 at 07:06:56AM -0700, Mike Dillinger wrote:
> Hello,
> 
> This has been a problem since my kernel was upgraded to 5.6. Everything was fine prior to that where I was running the 5.5 kernel.
> 
> I'm running Debian testing and here is some information regarding my system:
> $ uname -a
> Linux rockenfield 5.6.0-1-amd64 #1 SMP Debian 5.6.7-1 (2020-04-29) x86_64 GNU/Linux
> $ nft -v
> nftables v0.9.4 (Jive at Five)
> 
> I have a script that blocks IP's by adding them to a named set, and the named set has a 12 hour expiration.  After about a day of uptime, I start getting the following error.  I'm obfuscating the IP address with "a.b.c.d".
> 
> $ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
> Error: Could not process rule: File exists
> add element ip filter blacklist4-ip-12h { a.b.c.d }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I can check the named set and no such IP address exists, and double checked using grep.  Here's the kicker: if I reboot, it works fine. The blacklist4-ip-12h set has 191 IP's so it shouldn't be a matter of too many IP's.  I've had up to 300 in the set before with no problems.  If I had too many IP's, I'd expect the same behavior after a reboot which is not the case.  It's not an issue with any particular IP address; rather it disallows anything being added to the named set entirely.  Here are the properties of the set in case something is wrong there:
> 
>     set blacklist4-ip-12h {
>         type ipv4_addr
>         flags interval,timeout
>         timeout 12h
>         gc-interval 1m
>     }
> 
> If the set properties look OK, then I'm fairly confident this is a bug.  I wanted to know if it's a kernel issue or an nftables issue, and also where to go to file a bug, and I can take it from there. I'm not sure when nftables was upgraded if we're suspecting nftables.  I'd need to do some digging.
> 
> Any help is greatly appreciated.  Having to reboot daily to work around this issue is not desirable.

Please, make sure your Linux kernel version is >= 5.6.7 or manually
cherry-pick this fix which was included starting that version.
Versions from 5.6.0 to 5.6.6 include this problem you describe.

See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7

Author: Stefano Brivio <sbrivio@redhat.com>
Date:   Wed Apr 1 17:14:38 2020 +0200

    netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
    
    commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream.

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> Please, make sure your Linux kernel version is >= 5.6.7 or manually
> cherry-pick this fix which was included starting that version.
> Versions from 5.6.0 to 5.6.6 include this problem you describe.
>
> See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7
>
> Author: Stefano Brivio <sbrivio@redhat.com>
> Date:   Wed Apr 1 17:14:38 2020 +0200
>
>      netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
>      
>      commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream.
>
Thank you very much!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> *To:* Mike Dillinger <miked@softtalker.com>
> *Cc:* netfilter@vger.kernel.org
> *Date:* Friday, May 8, 2020, 9:01 AM PDT
> *Subject:* nftables: Strange Error When Adding Element to Named Set
>
> Please, make sure your Linux kernel version is >= 5.6.7 or manually
> cherry-pick this fix which was included starting that version.
> Versions from 5.6.0 to 5.6.6 include this problem you describe.
>
> See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7
>
> Author: Stefano Brivio <sbrivio@redhat.com>
> Date:   Wed Apr 1 17:14:38 2020 +0200
>
>      netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
>      
>      commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream.

If I am reading the output of uname correctly, I am using 5.6.14 which should qualify:
$ uname -a
Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux

...yet, the problem still persists:
$ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
Error: Could not process rule: File exists
add element ip filter blacklist4-ip-12h { a.b.c.d }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To confirm, everything works fine with 5.5.x kernels.  Please advise next steps with respect to 5.6.7+ kernels.

Thanks,
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Pablo Neira Ayuso]

Hi,

On Sun, May 31, 2020 at 10:18:29AM -0700, Mike Dillinger wrote:
> > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> > *To:* Mike Dillinger <miked@softtalker.com>
> > *Cc:* netfilter@vger.kernel.org
> > *Date:* Friday, May 8, 2020, 9:01 AM PDT
> > *Subject:* nftables: Strange Error When Adding Element to Named Set
> > 
> > Please, make sure your Linux kernel version is >= 5.6.7 or manually
> > cherry-pick this fix which was included starting that version.
> > Versions from 5.6.0 to 5.6.6 include this problem you describe.
> > 
> > See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7
> > 
> > Author: Stefano Brivio <sbrivio@redhat.com>
> > Date:   Wed Apr 1 17:14:38 2020 +0200
> > 
> >      netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
> >      commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream.
> 
> If I am reading the output of uname correctly, I am using 5.6.14 which should qualify:
> $ uname -a
> Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux

That kernel already contains that fix, so there might be another bug.

> ...yet, the problem still persists:
> $ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
> Error: Could not process rule: File exists
> add element ip filter blacklist4-ip-12h { a.b.c.d }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> To confirm, everything works fine with 5.5.x kernels.  Please advise
> next steps with respect to 5.6.7+ kernels.

Do you have a simple reproducer? That would help us.

This is a set with the interval flag set on, correct?

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> *To:* Mike Dillinger <miked@softtalker.com>
> *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com
> *Date:* Monday, June 1, 2020, 5:41 AM PDT
> *Subject:* nftables: Strange Error When Adding Element to Named Set
> Do you have a simple reproducer? That would help us.
>
> This is a set with the interval flag set on, correct?

Hi Pablo,

Yes, that is correct (interval flag is used/enabled).  Here is my set definition:
     set blacklist4-ip-12h {
         type ipv4_addr
         flags interval,timeout
         timeout 12h
         gc-interval 1m
     }

As for a reproducer, it is simple but it takes about 12 hours of uptime for the issue to surface.  My script parses syslog for questionable IP activity and puts IP's into this set if they meet certain criteria, and on average I'd say one or two per hour get added to the set.  Let me do some experiments and get back to you. I will roll the kernel forward to the problematic version and report back later or tomorrow.  In the meantime, please let me know if you have any suggestions on how to accelerate the issue.

Hmmm... actually now that I think about this some more, the set expires entries at the 12 hour interval.  Could this possibly be related to the first few IP expiration(s)?  I will go with that theory and try to reproduce with a set timeout of 1m or 5m, and report back.

Thanks!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Stefano Brivio]

Mike,

On Mon, 1 Jun 2020 07:58:49 -0700
Mike Dillinger <miked@softtalker.com> wrote:

> > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org]
> > *To:* Mike Dillinger <miked@softtalker.com>
> > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com
> > *Date:* Monday, June 1, 2020, 5:41 AM PDT
> > *Subject:* nftables: Strange Error When Adding Element to Named Set
> > Do you have a simple reproducer? That would help us.
> >
> > This is a set with the interval flag set on, correct?  
> 
> Hi Pablo,
> 
> Yes, that is correct (interval flag is used/enabled).  Here is my
> set definition:     set blacklist4-ip-12h {
>          type ipv4_addr
>          flags interval,timeout
>          timeout 12h
>          gc-interval 1m
>      }
> 
> As for a reproducer, it is simple but it takes about 12 hours of
> uptime for the issue to surface.  My script parses syslog for
> questionable IP activity and puts IP's into this set if they meet
> certain criteria, and on average I'd say one or two per hour get
> added to the set.  Let me do some experiments and get back to you. I
> will roll the kernel forward to the problematic version and report
> back later or tomorrow.  In the meantime, please let me know if you
> have any suggestions on how to accelerate the issue.
> 
> Hmmm... actually now that I think about this some more, the set
> expires entries at the 12 hour interval.  Could this possibly be
> related to the first few IP expiration(s)?  I will go with that
> theory and try to reproduce with a set timeout of 1m or 5m, and
> report back.

Yes, that might help. By the way, your kernel (based on 5.6.8 upstream,
not 5.6.14 -- that's the Debian package version) also contains:

commit 340eaff651160234bdbce07ef34b92a8e45cd540
Author: Phil Sutter <phil@nwl.cc>
Date:   Mon May 11 15:31:41 2020 +0200

    netfilter: nft_set_rbtree: Add missing expired checks

so any issue in that sense should be fixed. See the changelog at:
	https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_5.6.14-1_changelog

Anyway, my further question is whether at the moment of the insertion
there's an overlapping address already in the set, or the inserted
address is included in an interval also already present in the set.
What is "a.b.c.d" in your earlier report? Is it a single address or an
interval?

Once the failure is detected, would it be possible to automatically dump
the ruleset (nft list ruleset)?

-- 
Stefano

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

Yes, I have found a way to reproduce it.

Add the set:
nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags interval,timeout \; timeout 1m \; gc-interval 1m\;}

We're not concerned about the IP's that are added to the set because there are no rules covering what to do with the set contents.

I wrote a bash script called nftables-bug-repro:
#!/bin/bash
nft list set ip filter blacklist4-ip-1m
for ((i=1;i<=10;i++)); do
     nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
     sleep 1
done
nft list set ip filter blacklist4-ip-1m

This script actually shows some other odd behavior.  In addition to the inaccurate information of IP's already being in the list, the kernel seems to create its own interval/ranges.  Running the script every minute creates a different set of errors too.  This definitely seems related to the timeout setting; my other sets are working fine since reboot but I expect that to change later after IP's have expired.  Below is a sample output run:

$ nftables-bug-repro
table ip filter {
         set blacklist4-ip-1m {
                 type ipv4_addr
                 flags interval,timeout
                 timeout 1m
                 gc-interval 1m
         }
}
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {1.1.1.1}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {2.2.2.2}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {4.4.4.4}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {4.4.4.4}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {5.5.5.5}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {5.5.5.5}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {6.6.6.6}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {6.6.6.6}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {7.7.7.7}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {7.7.7.7}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {8.8.8.8}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {8.8.8.8}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {9.9.9.9}
                                      ^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {9.9.9.9}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {10.10.10.10}
                                      ^^^^^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {10.10.10.10}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
table ip filter {
         set blacklist4-ip-1m {
                 type ipv4_addr
                 flags interval,timeout
                 timeout 1m
                 gc-interval 1m
                 elements = { 3.3.3.3-255.255.255.255 }
         }
}

Notice the bizarre range declaration, as well as 1.1.1.1 and 2.2.2.2 missing even though the kernel claimed they were already present.

Here are my kernel and nftables versions:
$ uname -a
Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux
$ nft -v
nftables v0.9.4 (Jive at Five)

Thanks!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> *From:* Stefano Brivio [mailto:sbrivio@redhat.com]
> *To:* Mike Dillinger <miked@softtalker.com>
> *Cc:* Pablo Neira Ayuso <pablo@netfilter.org>, netfilter@vger.kernel.org
> *Date:* Monday, June 1, 2020, 8:48 AM PDT
> *Subject:* nftables: Strange Error When Adding Element to Named Set
>
> Yes, that might help. By the way, your kernel (based on 5.6.8 upstream,
> not 5.6.14 -- that's the Debian package version) also contains:
>
> commit 340eaff651160234bdbce07ef34b92a8e45cd540
> Author: Phil Sutter <phil@nwl.cc>
> Date:   Mon May 11 15:31:41 2020 +0200
>
>      netfilter: nft_set_rbtree: Add missing expired checks
>
> so any issue in that sense should be fixed. See the changelog at:
> 	https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_5.6.14-1_changelog
>
> Anyway, my further question is whether at the moment of the insertion
> there's an overlapping address already in the set, or the inserted
> address is included in an interval also already present in the set.
> What is "a.b.c.d" in your earlier report? Is it a single address or an
> interval?
>
> Once the failure is detected, would it be possible to automatically dump
> the ruleset (nft list ruleset)?
>
Hi Stefan,

I just saw this message after I sent out my detailed repro scenario.  Please let me know if I did something wrong and/or you would like me to dump the entire ruleset, or anything else for that matter.  I am hoping the repro scenario covers everything.

I can answer one of your questions.  At the moment of insertion, there are no overlapping ranges in my set.  I originally thought I wanted to declare CIDR's/ranges but never ended up doing that, but the table was originally created using intervals.  I've always used individual IP addresses.

"a.b.c.d" is an IP address in all of my correspondence, not a CIDR nor a range.

Thanks!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> *From:* Mike Dillinger [mailto:miked@softtalker.com]
> *To:* Pablo Neira Ayuso <pablo@netfilter.org>
> *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com
> *Date:* Monday, June 1, 2020, 9:07 AM PDT
> *Subject:* nftables: Strange Error When Adding Element to Named Set
>
> Yes, I have found a way to reproduce it.
>
> Add the set:
> nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags interval,timeout \; timeout 1m \; gc-interval 1m\;}
>
> We're not concerned about the IP's that are added to the set because there are no rules covering what to do with the set contents.
>
> I wrote a bash script called nftables-bug-repro:
> #!/bin/bash
> nft list set ip filter blacklist4-ip-1m
> for ((i=1;i<=10;i++)); do
>     nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
>     sleep 1
> done
> nft list set ip filter blacklist4-ip-1m

Hi Pablo, Stefan, et al,

I wanted to check and see if anyone was able to reproduce the issue.  If not, I'd like to figure out what's unique about my setup so I can resolve the issue on my end.

Thanks!
-MikeD

Re: nftables: Strange Error When Adding Element to Named Set

[Stefano Brivio]

Hi Mik,

On Tue, 2 Jun 2020 06:28:31 -0700
Mike Dillinger <miked@softtalker.com> wrote:

> > *From:* Mike Dillinger [mailto:miked@softtalker.com]
> > *To:* Pablo Neira Ayuso <pablo@netfilter.org>
> > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com
> > *Date:* Monday, June 1, 2020, 9:07 AM PDT
> > *Subject:* nftables: Strange Error When Adding Element to Named Set
> >
> > Yes, I have found a way to reproduce it.
> >
> > Add the set:
> > nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags
> > interval,timeout \; timeout 1m \; gc-interval 1m\;}
> >
> > We're not concerned about the IP's that are added to the set
> > because there are no rules covering what to do with the set
> > contents.
> >
> > I wrote a bash script called nftables-bug-repro:
> > #!/bin/bash
> > nft list set ip filter blacklist4-ip-1m
> > for ((i=1;i<=10;i++)); do
> >     nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
> >     sleep 1
> > done
> > nft list set ip filter blacklist4-ip-1m  
> 
> Hi Pablo, Stefan, et al,
> 
> I wanted to check and see if anyone was able to reproduce the issue.Â
>  If not, I'd like to figure out what's unique about my setup so I can
> resolve the issue on my end.

I haven't tried yet. I plan to check later today, I'll let you know. I
don't think there's anything unique about your setup.

-- 
Stefano

Re: nftables: Strange Error When Adding Element to Named Set

[Stefano Brivio]

On Tue, 2 Jun 2020 16:25:36 +0200
Stefano Brivio <sbrivio@redhat.com> wrote:

> On Tue, 2 Jun 2020 06:28:31 -0700
> Mike Dillinger <miked@softtalker.com> wrote:
>
> > I wanted to check and see if anyone was able to reproduce the issue.Â
> > If not, I'd like to figure out what's unique about my setup so I can
> > resolve the issue on my end.  
> 
> I haven't tried yet. I plan to check later today, I'll let you know. I
> don't think there's anything unique about your setup.

Mike, yes, I'm seeing a number of issues with your reproducer,
debugging that now.

The only kind of unique thing about your setup is that you declare a
set with intervals but (I guess) you never add intervals to it. That
should work in any case, but as quick workaround, you could omit the
'interval' flag in the set declaration -- assuming you're always
inserting single elements.

-- 
Stefano

Re: nftables: Strange Error When Adding Element to Named Set

[Mike Dillinger]

> On Tue, 2 Jun 2020 16:25:36 +0200
> Stefano Brivio <sbrivio@redhat.com> wrote:
>
> Mike, yes, I'm seeing a number of issues with your reproducer,
> debugging that now.
>
> The only kind of unique thing about your setup is that you declare a
> set with intervals but (I guess) you never add intervals to it. That
> should work in any case, but as quick workaround, you could omit the
> 'interval' flag in the set declaration -- assuming you're always
> inserting single elements.
Hi Stefan,

I was considering that myself.  As of now, I only declare single elements, and no CIDR's nor ranges.  I will look into changing that since the Debian testing kernel availability won't be as timely as I'd like for this particular change.

Thanks for looking into this and confirming.

-MikeD

meta day not working

[pauloric]

Hi all

Hope that everyone is working safety at home.

I have been trying to use meta date , but is not working. I think I could not find the correct syntax, but at list I tried in many tentatives.

Ubuntu server 20.04
kernel 5.6.0-1010-oem and 5.4.0-33-generic
nftables 0.9.3-2 amd64  
libnftnl11 1.1.5-1
libnftables1 0.9.3-2
libnfnetlink0 1.0.1-3build1


Not working:

only meta day
/etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception

add rule inet filter INPUT ip saddr 192.168.0.0/16 meta iifname "wan1" ip protocol tcp tcp dport {53,88,123,135,139,389,445,464,636,3268,3269,5353,1024-5000} meta day "(1,3,5)" counter accept comment "ttttttt"


meta day and meta hour
/etc/nftables.d/gerais:2:189-193: Error: Could not parse Day of week of packet reception
add rule inet filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.10.1 meta iifname "lan" ip protocol tcp tcp dport {53,88,123,135,139,389,445,464,636,3268,3269,5353,1024-5000} meta day "1,2" meta hour "8:0" - "18:0" counter accept comment "xxx"



Work if I change meta day and let only one day.


ip saddr 192.168.0.0/16 ip daddr 192.168.10.1 iifname "lan" ip protocol tcp tcp dport { 53, 88, 123, 135, 139, 389, 445, 464, 636, 1024-5000, 5353 } meta day "Monday" meta hour "08:00"-"18:00" counter packets 0 bytes 0 accept comment "xxx"

ip saddr 192.168.0.0/16 iifname "wan1" ip protocol tcp tcp dport { 53, 88, 123, 135, 139, 389, 445, 464, 636, 1024-5000, 5353 } meta day "Wednesday" counter packets 0 bytes 0 accept comment "ttttttt"


What am I doing incorrectly...?

Can't I use more than 1 day in rule _+ time ?

I intend use meta day + meta time as normaly this:

Monday to Friday from 8:00 until 18:00hs.


Thanks for you time

best regards



-- 
Paulo Ricardo Bruck consultor 

Re: meta day not working

[Florian Westphal]

pauloric@contatogs.com.br <pauloric@contatogs.com.br> wrote:
> only meta day
> /etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception
> 
> meta day "(1,3,5)" counter accept comment "ttttttt"

Anonymous sets use curly braces "{}", not "()".

Re: meta day not working

[pauloric]

shame on me...8(

thanks Florian

----- Mensagem original -----
De: "Florian Westphal" <fw@strlen.de>
Para: "pauloric" <pauloric@contatogs.com.br>
Cc: "netfilter" <netfilter@vger.kernel.org>
Enviadas: Sábado, 6 de junho de 2020 11:37:02
Assunto: Re: meta day not working


> only meta day
> /etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception
> 
> meta day "(1,3,5)" counter accept comment "ttttttt"

Anonymous sets use curly braces "{}", not "()".