nftables v0.9.0 netlink: Error: set is not a map

nftables v0.9.0 netlink: Error: set is not a map

[Daniel Huhardeaux]

Hello,

I created a bash script under Debian/Buster to create nft rules: it 
works perfectly.

Now I copy this script to a Debian/Stretch machine (nftables v0.7.0) and 
get in troubles to make it work: at some point I receive the subject error.

OK, I think it's a version problem: I installed nftables from Stretch 
backports which is the same version as the Buster one, v0.9.0 But bang, 
error is still here :(

What can be the cause of this error? Yes, I use sets, and no, they are 
no maps defined.

Thanks for any hint

-- 
TOOTAi Networks
Daniel

Re: nftables v0.9.0 netlink: Error: set is not a map

[Trent W. Buck]

Daniel Huhardeaux <tech@tootai.net> writes:

> I created a bash script under Debian/Buster to create nft rules: it
> works perfectly.
>
> Now I copy this script to a Debian/Stretch machine (nftables v0.7.0)
> and get in troubles to make it work: at some point I receive the
> subject error.
>
> OK, I think it's a version problem: I installed nftables from Stretch
> backports which is the same version as the Buster one, v0.9.0 But
> bang, error is still here :(
>
> What can be the cause of this error? Yes, I use sets, and no, they are
> no maps defined.

Can you show us your actual ruleset.nft?

Or (better yet) distill it down to a minimal test ruleset.nft that
generates the problem, and show us that.


I don't recognize the specific error.
I have seen similar errors before due to brainos in my ruleset.

I agree it doesn't make sense that the same version (nftables=0.9.0 on
Debian 9 and Debian 10) should parse the same way - so maybe it's a
difference on the kernel side?

Are you running
4.19.67-2+deb10u1~bpo9+1 on Debian 9, and
4.19.67-2 on Debian 10?

Re: nftables v0.9.0 netlink: Error: set is not a map

[Daniel Huhardeaux]

Le 22/10/2019 à 02:30, Trent W. Buck a écrit :
> Daniel Huhardeaux <tech@tootai.net> writes:
> 
>> I created a bash script under Debian/Buster to create nft rules: it
>> works perfectly.
>>
>> Now I copy this script to a Debian/Stretch machine (nftables v0.7.0)
>> and get in troubles to make it work: at some point I receive the
>> subject error.
>>
>> OK, I think it's a version problem: I installed nftables from Stretch
>> backports which is the same version as the Buster one, v0.9.0 But
>> bang, error is still here :(
>>
>> What can be the cause of this error? Yes, I use sets, and no, they are
>> no maps defined.
> 
> Can you show us your actual ruleset.nft?
> 
> Or (better yet) distill it down to a minimal test ruleset.nft that
> generates the problem, and show us that >
> I don't recognize the specific error.
> I have seen similar errors before due to brainos in my ruleset.
> 
> I agree it doesn't make sense that the same version (nftables=0.9.0 on
> Debian 9 and Debian 10) should parse the same way - so maybe it's a
> difference on the kernel side?
> 
> Are you running
> 4.19.67-2+deb10u1~bpo9+1 on Debian 9, and
> 4.19.67-2 on Debian 10?

Debian9 Debian 4.9.189-3+deb9u1
Debian10 Debian 4.19.67-2+deb10u1

I found the culpit: myself. I copy values from iptables rules where 
range are given separated by colon and I forgot to replace this one by a 
dash :(

Thanks for your support
-- 
Daniel