nft list empty

nft list empty

[Nathan Wagner]

For some reason, 'nft list ...' doesn't seem to print anything out.
A nft create table seems to create the table, but other than an
error if I try to create it again, I don't have any way to tell.

I am probably missing something, but I have looked around and
don't see what it could be.  I worked up a script to reproduce
the issue, the output of which is below.

What is especially puzzling is that a 'list ruleset' within the same
nft process shows output, so it's like nft just isn't committing the
changes for some reason.  Except that doing two creates in a row
generates an error that I interpret to mean that the table already
exists.  This also implies that the table create persisted across
separate nft processes.

Finally and separately, I tried doing an 'echo list ruleset | nft -f -'
and it errors out with a missing /dev/stdin.  Ok, my /dev filesystem is
probably broken, but why is it trying to open /dev/stdin in the first
place instead of just reading from fd 0?  I imagine that somewhere
there's the equivalent of an "if filename = '-' then filename =
'/dev/stdin' and then it goes through the same process it uses for named
files.  I'd do this the other way around.

+ uname -r
4.15.10-2-zoranix
+ lsmod
+ grep nf
nft_set_rbtree         16384  0
nft_set_hash           24576  0
nft_set_bitmap         16384  0
nft_reject             16384  0
nft_counter            16384  0
nf_tables_inet         16384  0
nf_tables_ipv6         16384  1 nf_tables_inet
nf_tables_ipv4         16384  5 nf_tables_inet
nf_tables              94208  8 nft_set_bitmap,nft_reject,nft_set_hash,nf_tables_ipv6,nf_tables_ipv4,nft_set_rbtree,nft_counter,nf_tables_inet
configs                45056  0
+ nft flush ruleset
+ nft list ruleset
+ nft create table ip filter
+ nft list ruleset
+ nft create table ip filter
Error: Could not process rule: File exists
create table ip filter
^^^^^^^^^^^^^^^^^^^^^^^
+ cat new/bare
#!/usr/sbin/nft -f

flush ruleset

table ip filter {
   chain input { type filter hook input priority 0; policy accept; }
   chain forward { type filter hook forward priority 0; policy accept; }
   chain output { type filter hook output priority 0; policy accept; }
}

list ruleset
+ /usr/sbin/nft -f new/bare
table ip filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
+ nft list ruleset
+ echo flush ruleset
+ /usr/sbin/nft -f -
internal:0:0-0: Error: Could not open file "/dev/stdin": No such file or directory

-- 
nw

Re: nft list empty

[Benno]

Am 26.10.21 um 21:28 schrieb Nathan Wagner:
> For some reason, 'nft list ...' doesn't seem to print anything out.
> A nft create table seems to create the table, but other than an
> error if I try to create it again, I don't have any way to tell.
> 

Which version of nftables are you using? Does nft list tables or nft
list chains output your rules? (Kernel 4.15 is from 2018, most major
distributions moved to at least 4.19. Currently nftables 1.0.0 is stable
but not yet available in all distributions.)

Is nft really the binary from the nftables package or something wrapped/
enhanced by a distribution? Is there an alias in your shell? (In Bash
this can be avoided by using 'nft' – single quotes.)

Re: nft list empty

[Nathan Wagner]

On Tue, Oct 26, 2021 at 10:32:15PM +0200, Benno wrote:
> Am 26.10.21 um 21:28 schrieb Nathan Wagner:
> > For some reason, 'nft list ...' doesn't seem to print anything out.
> > A nft create table seems to create the table, but other than an
> > error if I try to create it again, I don't have any way to tell.
> > 
> 
> Which version of nftables are you using?

1.0.0

> Does nft list tables or nft list chains output your rules?

No, I added a '/usr/sbin/nft list tables' and '/usr/sbin/nft list
chains' to the appropriate places in my repro script, and they don't
produce any output.

> (Kernel 4.15 is from 2018, most major distributions moved to at least
> 4.19.

I think 4.15 should still support nftables.  I've got a more recent
kernel compiled and packaged, but my uptime is 848 days...

> Currently nftables 1.0.0 is stable but not yet available in all
> distributions.)
> 
> Is nft really the binary from the nftables package

Yes, which I can guarantee, since I compiled it myself.

> or something wrapped/enhanced by a distribution?

No, that's not it.  I packaged it myself.  I also tried running the
binary straight from the compilation directory.

> Is there an alias in your shell? (In Bash this can be avoided by using
> 'nft' ??? single quotes.)

No alias.  I changed my repro script to call /usr/sbin/nft rather than
just 'nft', same result.

-- 
nw

Re: nft list empty

[Pablo Neira Ayuso]

On Tue, Oct 26, 2021 at 07:28:00PM +0000, Nathan Wagner wrote:
> For some reason, 'nft list ...' doesn't seem to print anything out.
> A nft create table seems to create the table, but other than an
> error if I try to create it again, I don't have any way to tell.
> 
> I am probably missing something, but I have looked around and
> don't see what it could be.  I worked up a script to reproduce
> the issue, the output of which is below.
> 
> What is especially puzzling is that a 'list ruleset' within the same
> nft process shows output, so it's like nft just isn't committing the
> changes for some reason.  Except that doing two creates in a row
> generates an error that I interpret to mean that the table already
> exists.  This also implies that the table create persisted across
> separate nft processes.
> 
> Finally and separately, I tried doing an 'echo list ruleset | nft -f -'
> and it errors out with a missing /dev/stdin.  Ok, my /dev filesystem is
> probably broken, but why is it trying to open /dev/stdin in the first
> place instead of just reading from fd 0?  I imagine that somewhere
> there's the equivalent of an "if filename = '-' then filename =
> '/dev/stdin' and then it goes through the same process it uses for named
> files.  I'd do this the other way around.
> 
> + uname -r
> 4.15.10-2-zoranix

There's a fix in master (to be included in the upcoming 1.0.1 release)
which fixes nftables with older kernels:

commit 058a943cefbdde9aee273115624de27cf15dd3f3
[...]

    cache: provide a empty list for flowtables and objects when request fails
    
    Old kernels do not support for dumping the flowtable and object lists,
    provide an empty list instead to unbreak the cache initialization.
    
    Fixes: 560963c4d41e ("cache: add hashtable cache for flowtable")
    Fixes: 45a84088ecbd ("cache: add hashtable cache for object")

Could you give a try to a nftables git HEAD snapshot?

Re: nft list empty

[Nathan Wagner]

On Wed, Oct 27, 2021 at 12:40:04AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 26, 2021 at 07:28:00PM +0000, Nathan Wagner wrote:
> > For some reason, 'nft list ...' doesn't seem to print anything out.
> > A nft create table seems to create the table, but other than an
> > error if I try to create it again, I don't have any way to tell.

> > + uname -r
> > 4.15.10-2-zoranix
> 
> There's a fix in master (to be included in the upcoming 1.0.1 release)
> which fixes nftables with older kernels:

[snip]

> Could you give a try to a nftables git HEAD snapshot?

That version works with my kernel.

-- 
nw