errors found in nftable docs on wiki

errors found in nftable docs on wiki

[Jonathan Johnson]

http://wiki.nftables.org/wiki-nftables/index.php/Sets

States this works and it does not.


nft add set filter blackhole { type ipv4_address\;}

after reviewing the source code I discovered this is correct:


nft add set filter blackhole { type ipv4_addr\;}


after using the correct syntax I get this error, which I have not
troubleshooted.


I modprobed all the modules starting with nft* one at a time.


<cmdline>:1:26-42: Error: Could not add set: No such file or directory

Jonathan

Re: errors found in nftable docs on wiki

[Pablo Neira Ayuso]

On Sat, Jun 28, 2014 at 02:13:35PM -0500, Jonathan Johnson wrote:
> http://wiki.nftables.org/wiki-nftables/index.php/Sets
> 
> States this works and it does not.
> 
> 
> nft add set filter blackhole { type ipv4_address\;}
> 
> after reviewing the source code I discovered this is correct:
> 
> 
> nft add set filter blackhole { type ipv4_addr\;}

Fixed, thanks for reporting.

> after using the correct syntax I get this error, which I have not
> troubleshooted.
> 
> 
> I modprobed all the modules starting with nft* one at a time.
> 
> 
> <cmdline>:1:26-42: Error: Could not add set: No such file or directory

I guess you forgot to create the filter table?

http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

Re: errors found in nftable docs on wiki

[Jonathan Johnson]

I followed your example and no go.

/sbin/nft add table ip  blackhole
nft list tables
results:  blackhole

nft add set filter blackhole { type ipv4_addr\;}
<cmdline>:1:26-42: Error: Could not add set: No such file or directory


Please send me a complete example.
I am trying to migrate my blacklist from ipset/iptables to nft since I
have 33,110 entries and counting.  I want to block all forms of
communication with there ip addresses.  I want to see how nft performs
by comparison.  Does nft have the 65,535 limit for list size?

Jonathan



On Sun, Jun 29, 2014 at 5:12 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sat, Jun 28, 2014 at 02:13:35PM -0500, Jonathan Johnson wrote:
>> http://wiki.nftables.org/wiki-nftables/index.php/Sets
>>
>> States this works and it does not.
>>
>>
>> nft add set filter blackhole { type ipv4_address\;}
>>
>> after reviewing the source code I discovered this is correct:
>>
>>
>> nft add set filter blackhole { type ipv4_addr\;}
>
> Fixed, thanks for reporting.
>
>> after using the correct syntax I get this error, which I have not
>> troubleshooted.
>>
>>
>> I modprobed all the modules starting with nft* one at a time.
>>
>>
>> <cmdline>:1:26-42: Error: Could not add set: No such file or directory
>
> I guess you forgot to create the filter table?
>
> http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

Re: errors found in nftable docs on wiki

[Arturo Borrero Gonzalez]

On 29 June 2014 16:51, Jonathan Johnson <ecybernard@gmail.com> wrote:
> I followed your example and no go.
>
> /sbin/nft add table ip  blackhole
> nft list tables
> results:  blackhole
>
> nft add set filter blackhole { type ipv4_addr\;}
> <cmdline>:1:26-42: Error: Could not add set: No such file or directory
>

The syntax is:

nft add set <family> <table> <setname> { type ... }

So, you are adding a set named 'blackhole' in a table named 'filter'.

I would suggest to create the filter table.
-- 
Arturo Borrero Gonz√°lez

Re: errors found in nftable docs on wiki

[Jonathan Johnson]

I tried to implement the syntax above with no luck.  I have no idea
what I am supposed to do, and I am blindly stabbing around with trial
and error trying to figure this out.  Why don't you just provide me
with a complete example and make it easy for me?  All the examples I
find are broken,wrong, or incomplete.

Jonathan

On Tue, Jul 1, 2014 at 1:32 AM, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> On 29 June 2014 16:51, Jonathan Johnson <ecybernard@gmail.com> wrote:
>> I followed your example and no go.
>>
>> /sbin/nft add table ip  blackhole
>> nft list tables
>> results:  blackhole
>>
>> nft add set filter blackhole { type ipv4_addr\;}
>> <cmdline>:1:26-42: Error: Could not add set: No such file or directory
>>
>
> The syntax is:
>
> nft add set <family> <table> <setname> { type ... }
>
> So, you are adding a set named 'blackhole' in a table named 'filter'.
>
> I would suggest to create the filter table.
> --
> Arturo Borrero Gonz√°lez

Re: errors found in nftable docs on wiki

[Arturo Borrero Gonzalez]

On 2 July 2014 06:44, Jonathan Johnson <ecybernard@gmail.com> wrote:
> I tried to implement the syntax above with no luck.  I have no idea
> what I am supposed to do, and I am blindly stabbing around with trial
> and error trying to figure this out.  Why don't you just provide me
> with a complete example and make it easy for me?  All the examples I
> find are broken,wrong, or incomplete.
>

Well, I just succesfully tested this:

nft add table blackhole
nft list table blackhole
table ip blackhole {
}

nft add set blackhole set1 { type ipv4_addr\; }

nft list table blackhole
table ip blackhole {
   set set1 {
      type ipv4_addr
   }
}

nft add element blackhole set1 {1.1.1.1, 2.2.2.2, 3.3.3.3}

nft list table blackhole -nnn
table ip blackhole {
   set set1 {
   type ipv4_addr
      elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
   }
}

nft add chain blackhole chain1
nft list table blackhole -nnn
table ip blackhole {
   set set1 {
      type ipv4_addr
      elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
   }

   chain chain1 {
   }
}

nft add rule blackhole chain1 ip saddr @set1 counter accept
nft list table blackhole -nnn
table ip blackhole {
   set set1 {
      type ipv4_addr
      elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
   }

   chain chain1 {
      ip saddr @set1 counter packets 0 bytes 0 accept
   }
}

-- 
Arturo Borrero Gonz√°lez

Re: errors found in nftable docs on wiki

[Jonathan Johnson]

after:
nft add rule blackhole chain1 ip saddr @set1 counter accept

result:

nft[23409]: segfault at 7f8f5b809bbe ip 00007f8e9fe71f4e sp
00007fff6829d178 error 4 in libc-2.18.so[7f8e9fde2000+1a5000]

after that I proceeded to populate the list and got additional errors.
I used:
for i in `cat all3.txt`;do nft add element blackhole set1 { $i };done

To start loading in my 30,000+ enteries.

nft: src/netlink.c:205: alloc_nft_setelem: Assertion `expr->ops->type
== EXPR_MAPPING' failed.
Aborted

Eventually, after a few hundred it completes.  Does nft support cidr
(1.1.1.0/24) notation?

So I guess the segmentation fault is my last problem.

Jonathan


On Wed, Jul 2, 2014 at 1:56 AM, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> On 2 July 2014 06:44, Jonathan Johnson <ecybernard@gmail.com> wrote:
>> I tried to implement the syntax above with no luck.  I have no idea
>> what I am supposed to do, and I am blindly stabbing around with trial
>> and error trying to figure this out.  Why don't you just provide me
>> with a complete example and make it easy for me?  All the examples I
>> find are broken,wrong, or incomplete.
>>
>
> Well, I just succesfully tested this:
>
> nft add table blackhole
> nft list table blackhole
> table ip blackhole {
> }
>
> nft add set blackhole set1 { type ipv4_addr\; }
>
> nft list table blackhole
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>    }
> }
>
> nft add element blackhole set1 {1.1.1.1, 2.2.2.2, 3.3.3.3}
>
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>    type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
> }
>
> nft add chain blackhole chain1
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
>
>    chain chain1 {
>    }
> }
>
> nft add rule blackhole chain1 ip saddr @set1 counter accept
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
>
>    chain chain1 {
>       ip saddr @set1 counter packets 0 bytes 0 accept
>    }
> }
>
> --
> Arturo Borrero Gonz√°lez

Re: errors found in nftable docs on wiki

[Arturo Borrero Gonzalez]

On 3 July 2014 02:55, Jonathan Johnson <ecybernard@gmail.com> wrote:
> after:
> nft add rule blackhole chain1 ip saddr @set1 counter accept
>
> result:
>
> nft[23409]: segfault at 7f8f5b809bbe ip 00007f8e9fe71f4e sp
> 00007fff6829d178 error 4 in libc-2.18.so[7f8e9fde2000+1a5000]
>
> after that I proceeded to populate the list and got additional errors.
> I used:
> for i in `cat all3.txt`;do nft add element blackhole set1 { $i };done
>
> To start loading in my 30,000+ enteries.
>
> nft: src/netlink.c:205: alloc_nft_setelem: Assertion `expr->ops->type
> == EXPR_MAPPING' failed.
> Aborted
>
> Eventually, after a few hundred it completes.  Does nft support cidr
> (1.1.1.0/24) notation?
>
> So I guess the segmentation fault is my last problem.
>

Ok, let's trace the problem. Maybe you are hitting a bug :)

1) Please, send the version of the kernel, nftables, libnftnl, libmnl
and the name of your distro.
2) Please, rerun the command with valgrind, and send here the result.
  # valgrind nft add rle blackhole chain1 ip saddr @set1 counter accept
3) I note now that I named 'blackhole' the table, while in your
original mail, you named 'blackhole' the set. Please, check that.

Please, give us a bit of more info so we can be more helpful.

Thanks, regards.
-- 
Arturo Borrero Gonz√°lez