* Cannot reference sets in later rules until next nft run
@ 2021-09-03 1:25 martin f krafft
2021-09-03 7:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: martin f krafft @ 2021-09-03 1:25 UTC (permalink / raw)
To: netfilter users list
[-- Attachment #1: Type: text/plain, Size: 2502 bytes --]
Dear list,
I am trying to create an nft ruleset that uses the include directive
and a run-parts.d style directory for additions to the main ruleset.
I've run into a problem with nft v0.9.8 on kernel 5.10.0, which I
summarise as follows: If a rule in the main ruleset defines a set
then I cannot use that set outside the current scope until a later
run of nft.
Let me illustrate:
I have the following files (please find them attached):
==> inc.d/20-ssh.nft <==
table inet test {
set recent_ssh_connections4 { type ipv4_addr; timeout 30s; }
chain incoming_ssh {
update @recent_ssh_connections4 { ip saddr } \
accept comment "SSH connections"
}
chain input {
tcp flags syn tcp dport 22 counter jump incoming_ssh
}
}
==> inc.d/50-mosh_ports_v4.nft <==
add rule inet test input \
ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
comment "Portrange required for mosh"
==> ruleset.nft <==
table inet test {
chain input {
type filter hook input priority filter;
}
}
include "./inc.d/*.nft"
When I try to load this ruleset, it fails (debug output is attached):
% sudo nft -f ruleset.nft In file included from
ruleset.nft:9:1-24:
./inc.d/50-mosh_ports_v4.nft:2:12-35: Error: No such file or directory
ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
^^^^^^^^^^^^^^^^^^^^^^^^
If I load the included files with a separate invocation of nft, it
works:
% sed '/^include/d' ruleset.nft | sudo nft -f -
% for f in inc.d/*.nft; do sudo nft -f $f; done
At first, I thought this was a problem with include, but even if I
replace the include directive with the contents of the files it
would include, the error is the same.
The error also stays if I convert the command-style content of
inc.d/50-mosh_ports_v4.nft to the native format.
The only way to make this work is to include the rules within the
main and first table declaration in ruleset.nft, which means it's
not possible to use sets in include files.
Is this a bug, or am I doing something wrong?
--
@martinkrafft | https://matrix.to/#/#madduck:madduck.net
"i can stand brute force, but brute reason is quite unbearable. there
is something unfair about its use. it is hitting below the
intellect."
-- oscar wilde
spamtraps: madduck.bogus@madduck.net
[-- Attachment #2: nft-problem-files.tar.gz --]
[-- Type: application/gzip, Size: 516 bytes --]
[-- Attachment #3: nft-debug-output.gz --]
[-- Type: application/gzip, Size: 6623 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cannot reference sets in later rules until next nft run
2021-09-03 1:25 Cannot reference sets in later rules until next nft run martin f krafft
@ 2021-09-03 7:42 ` Pablo Neira Ayuso
2021-09-03 9:51 ` martin f krafft
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-03 7:42 UTC (permalink / raw)
To: netfilter users list
On Fri, Sep 03, 2021 at 01:25:02PM +1200, martin f krafft wrote:
> Dear list,
>
> I am trying to create an nft ruleset that uses the include directive and a
> run-parts.d style directory for additions to the main ruleset.
>
> I've run into a problem with nft v0.9.8 on kernel 5.10.0, which I summarise
> as follows: If a rule in the main ruleset defines a set then I cannot use
> that set outside the current scope until a later run of nft.
>
> Let me illustrate:
>
> I have the following files (please find them attached):
>
> ==> inc.d/20-ssh.nft <==
> table inet test {
>
> set recent_ssh_connections4 { type ipv4_addr; timeout 30s; }
>
> chain incoming_ssh {
> update @recent_ssh_connections4 { ip saddr } \
> accept comment "SSH connections"
> }
>
> chain input {
> tcp flags syn tcp dport 22 counter jump incoming_ssh
> }
> }
>
> ==> inc.d/50-mosh_ports_v4.nft <==
> add rule inet test input \
> ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
> comment "Portrange required for mosh"
>
> ==> ruleset.nft <==
> table inet test {
>
> chain input {
> type filter hook input priority filter;
>
> }
> }
>
> include "./inc.d/*.nft"
>
> When I try to load this ruleset, it fails (debug output is attached):
>
> % sudo nft -f ruleset.nft In file included from ruleset.nft:9:1-24:
> ./inc.d/50-mosh_ports_v4.nft:2:12-35: Error: No such file or directory
> ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
> ^^^^^^^^^^^^^^^^^^^^^^^^
Just tried it here with lastest:
# nft -v
nftables v1.0.0 (Fearless Fosdick #2)
WorksForMe(tm)
# nft -f ruleset.nft
# nft list ruleset
table inet test {
set recent_ssh_connections4 {
type ipv4_addr
size 65535
timeout 30s
}
chain input {
type filter hook input priority filter; policy accept;
tcp flags syn tcp dport 22 counter packets 0 bytes 0 jump incoming_ssh
ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter packets 0 bytes 0 accept comment "Portrange required for mosh"
}
chain incoming_ssh {
update @recent_ssh_connections4 { ip saddr } accept comment "SSH connections"
}
}
This is an old cache bug that was fixed starting 0.9.9 IIRC.
> If I load the included files with a separate invocation of nft, it works:
>
> % sed '/^include/d' ruleset.nft | sudo nft -f -
> % for f in inc.d/*.nft; do sudo nft -f $f; done
>
> At first, I thought this was a problem with include, but even if I replace
> the include directive with the contents of the files it would include, the
> error is the same.
>
> The error also stays if I convert the command-style content of
> inc.d/50-mosh_ports_v4.nft to the native format.
>
> The only way to make this work is to include the rules within the main and
> first table declaration in ruleset.nft, which means it's not possible to use
> sets in include files.
>
> Is this a bug, or am I doing something wrong?
It's a bug, please try out lastest.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Cannot reference sets in later rules until next nft run
2021-09-03 7:42 ` Pablo Neira Ayuso
@ 2021-09-03 9:51 ` martin f krafft
0 siblings, 0 replies; 3+ messages in thread
From: martin f krafft @ 2021-09-03 9:51 UTC (permalink / raw)
To: netfilter users list
Regarding the following, written by "Pablo Neira Ayuso" on 2021-09-03 at 09:42 Uhr +0200:
>Just tried it here with lastest:
>
># nft -v
>nftables v1.0.0 (Fearless Fosdick #2)
>
>WorksForMe(tm)
[…]
>This is an old cache bug that was fixed starting 0.9.9 IIRC.
Thanks for that. I failed to check that the version I had was way
out of date. I have now installed 0.9.9 from Debian experimental and
can confirm that this has been fixed.
Thanks for your patience and sorry to everyone for the noise.
--
@martinkrafft | https://matrix.to/#/#madduck:madduck.net
seen on an advertising for an elaborate swiss men's watch:
"almost as complicated as a woman. except it's on time"
spamtraps: madduck.bogus@madduck.net
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-03 9:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03 1:25 Cannot reference sets in later rules until next nft run martin f krafft
2021-09-03 7:42 ` Pablo Neira Ayuso
2021-09-03 9:51 ` martin f krafft
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.