* nftables: Strange Error When Adding Element to Named Set
@ 2020-05-08 14:06 Mike Dillinger
2020-05-08 16:01 ` Pablo Neira Ayuso
0 siblings, 1 reply; 16+ messages in thread
From: Mike Dillinger @ 2020-05-08 14:06 UTC (permalink / raw)
To: netfilter
Hello,
This has been a problem since my kernel was upgraded to 5.6. Everything was fine prior to that where I was running the 5.5 kernel.
I'm running Debian testing and here is some information regarding my system:
$ uname -a
Linux rockenfield 5.6.0-1-amd64 #1 SMP Debian 5.6.7-1 (2020-04-29) x86_64 GNU/Linux
$ nft -v
nftables v0.9.4 (Jive at Five)
I have a script that blocks IP's by adding them to a named set, and the named set has a 12 hour expiration. After about a day of uptime, I start getting the following error. I'm obfuscating the IP address with "a.b.c.d".
$ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
Error: Could not process rule: File exists
add element ip filter blacklist4-ip-12h { a.b.c.d }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I can check the named set and no such IP address exists, and double checked using grep. Here's the kicker: if I reboot, it works fine. The blacklist4-ip-12h set has 191 IP's so it shouldn't be a matter of too many IP's. I've had up to 300 in the set before with no problems. If I had too many IP's, I'd expect the same behavior after a reboot which is not the case. It's not an issue with any particular IP address; rather it disallows anything being added to the named set entirely. Here are the properties of the set in case something is wrong there:
set blacklist4-ip-12h {
type ipv4_addr
flags interval,timeout
timeout 12h
gc-interval 1m
}
If the set properties look OK, then I'm fairly confident this is a bug. I wanted to know if it's a kernel issue or an nftables issue, and also where to go to file a bug, and I can take it from there. I'm not sure when nftables was upgraded if we're suspecting nftables. I'd need to do some digging.
Any help is greatly appreciated. Having to reboot daily to work around this issue is not desirable.
Thank you!
-MikeD
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: nftables: Strange Error When Adding Element to Named Set 2020-05-08 14:06 nftables: Strange Error When Adding Element to Named Set Mike Dillinger @ 2020-05-08 16:01 ` Pablo Neira Ayuso 2020-05-08 17:13 ` Mike Dillinger 2020-05-31 17:18 ` Mike Dillinger 0 siblings, 2 replies; 16+ messages in thread From: Pablo Neira Ayuso @ 2020-05-08 16:01 UTC (permalink / raw) To: Mike Dillinger; +Cc: netfilter On Fri, May 08, 2020 at 07:06:56AM -0700, Mike Dillinger wrote: > Hello, > > This has been a problem since my kernel was upgraded to 5.6. Everything was fine prior to that where I was running the 5.5 kernel. > > I'm running Debian testing and here is some information regarding my system: > $ uname -a > Linux rockenfield 5.6.0-1-amd64 #1 SMP Debian 5.6.7-1 (2020-04-29) x86_64 GNU/Linux > $ nft -v > nftables v0.9.4 (Jive at Five) > > I have a script that blocks IP's by adding them to a named set, and the named set has a 12 hour expiration. After about a day of uptime, I start getting the following error. I'm obfuscating the IP address with "a.b.c.d". > > $ nft add element ip filter blacklist4-ip-12h { a.b.c.d } > Error: Could not process rule: File exists > add element ip filter blacklist4-ip-12h { a.b.c.d } > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I can check the named set and no such IP address exists, and double checked using grep. Here's the kicker: if I reboot, it works fine. The blacklist4-ip-12h set has 191 IP's so it shouldn't be a matter of too many IP's. I've had up to 300 in the set before with no problems. If I had too many IP's, I'd expect the same behavior after a reboot which is not the case. It's not an issue with any particular IP address; rather it disallows anything being added to the named set entirely. Here are the properties of the set in case something is wrong there: > > set blacklist4-ip-12h { > type ipv4_addr > flags interval,timeout > timeout 12h > gc-interval 1m > } > > If the set properties look OK, then I'm fairly confident this is a bug. I wanted to know if it's a kernel issue or an nftables issue, and also where to go to file a bug, and I can take it from there. I'm not sure when nftables was upgraded if we're suspecting nftables. I'd need to do some digging. > > Any help is greatly appreciated. Having to reboot daily to work around this issue is not desirable. Please, make sure your Linux kernel version is >= 5.6.7 or manually cherry-pick this fix which was included starting that version. Versions from 5.6.0 to 5.6.6 include this problem you describe. See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 Author: Stefano Brivio <sbrivio@redhat.com> Date: Wed Apr 1 17:14:38 2020 +0200 netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-05-08 16:01 ` Pablo Neira Ayuso @ 2020-05-08 17:13 ` Mike Dillinger 2020-05-31 17:18 ` Mike Dillinger 1 sibling, 0 replies; 16+ messages in thread From: Mike Dillinger @ 2020-05-08 17:13 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter > Please, make sure your Linux kernel version is >= 5.6.7 or manually > cherry-pick this fix which was included starting that version. > Versions from 5.6.0 to 5.6.6 include this problem you describe. > > See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 > > Author: Stefano Brivio <sbrivio@redhat.com> > Date: Wed Apr 1 17:14:38 2020 +0200 > > netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion > > commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream. > Thank you very much! -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-05-08 16:01 ` Pablo Neira Ayuso 2020-05-08 17:13 ` Mike Dillinger @ 2020-05-31 17:18 ` Mike Dillinger 2020-06-01 12:41 ` Pablo Neira Ayuso 1 sibling, 1 reply; 16+ messages in thread From: Mike Dillinger @ 2020-05-31 17:18 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org] > *To:* Mike Dillinger <miked@softtalker.com> > *Cc:* netfilter@vger.kernel.org > *Date:* Friday, May 8, 2020, 9:01 AM PDT > *Subject:* nftables: Strange Error When Adding Element to Named Set > > Please, make sure your Linux kernel version is >= 5.6.7 or manually > cherry-pick this fix which was included starting that version. > Versions from 5.6.0 to 5.6.6 include this problem you describe. > > See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 > > Author: Stefano Brivio <sbrivio@redhat.com> > Date: Wed Apr 1 17:14:38 2020 +0200 > > netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion > > commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream. If I am reading the output of uname correctly, I am using 5.6.14 which should qualify: $ uname -a Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux ...yet, the problem still persists: $ nft add element ip filter blacklist4-ip-12h { a.b.c.d } Error: Could not process rule: File exists add element ip filter blacklist4-ip-12h { a.b.c.d } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To confirm, everything works fine with 5.5.x kernels. Please advise next steps with respect to 5.6.7+ kernels. Thanks, -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-05-31 17:18 ` Mike Dillinger @ 2020-06-01 12:41 ` Pablo Neira Ayuso 2020-06-01 14:58 ` Mike Dillinger 0 siblings, 1 reply; 16+ messages in thread From: Pablo Neira Ayuso @ 2020-06-01 12:41 UTC (permalink / raw) To: Mike Dillinger; +Cc: netfilter, sbrivio Hi, On Sun, May 31, 2020 at 10:18:29AM -0700, Mike Dillinger wrote: > > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org] > > *To:* Mike Dillinger <miked@softtalker.com> > > *Cc:* netfilter@vger.kernel.org > > *Date:* Friday, May 8, 2020, 9:01 AM PDT > > *Subject:* nftables: Strange Error When Adding Element to Named Set > > > > Please, make sure your Linux kernel version is >= 5.6.7 or manually > > cherry-pick this fix which was included starting that version. > > Versions from 5.6.0 to 5.6.6 include this problem you describe. > > > > See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 > > > > Author: Stefano Brivio <sbrivio@redhat.com> > > Date: Wed Apr 1 17:14:38 2020 +0200 > > > > netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion > > commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream. > > If I am reading the output of uname correctly, I am using 5.6.14 which should qualify: > $ uname -a > Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux That kernel already contains that fix, so there might be another bug. > ...yet, the problem still persists: > $ nft add element ip filter blacklist4-ip-12h { a.b.c.d } > Error: Could not process rule: File exists > add element ip filter blacklist4-ip-12h { a.b.c.d } > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > To confirm, everything works fine with 5.5.x kernels. Please advise > next steps with respect to 5.6.7+ kernels. Do you have a simple reproducer? That would help us. This is a set with the interval flag set on, correct? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-01 12:41 ` Pablo Neira Ayuso @ 2020-06-01 14:58 ` Mike Dillinger 2020-06-01 15:48 ` Stefano Brivio 2020-06-01 16:07 ` Mike Dillinger 0 siblings, 2 replies; 16+ messages in thread From: Mike Dillinger @ 2020-06-01 14:58 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter, sbrivio > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org] > *To:* Mike Dillinger <miked@softtalker.com> > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com > *Date:* Monday, June 1, 2020, 5:41 AM PDT > *Subject:* nftables: Strange Error When Adding Element to Named Set > Do you have a simple reproducer? That would help us. > > This is a set with the interval flag set on, correct? Hi Pablo, Yes, that is correct (interval flag is used/enabled). Here is my set definition: set blacklist4-ip-12h { type ipv4_addr flags interval,timeout timeout 12h gc-interval 1m } As for a reproducer, it is simple but it takes about 12 hours of uptime for the issue to surface. My script parses syslog for questionable IP activity and puts IP's into this set if they meet certain criteria, and on average I'd say one or two per hour get added to the set. Let me do some experiments and get back to you. I will roll the kernel forward to the problematic version and report back later or tomorrow. In the meantime, please let me know if you have any suggestions on how to accelerate the issue. Hmmm... actually now that I think about this some more, the set expires entries at the 12 hour interval. Could this possibly be related to the first few IP expiration(s)? I will go with that theory and try to reproduce with a set timeout of 1m or 5m, and report back. Thanks! -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-01 14:58 ` Mike Dillinger @ 2020-06-01 15:48 ` Stefano Brivio 2020-06-01 16:13 ` Mike Dillinger 2020-06-01 16:07 ` Mike Dillinger 1 sibling, 1 reply; 16+ messages in thread From: Stefano Brivio @ 2020-06-01 15:48 UTC (permalink / raw) To: Mike Dillinger; +Cc: Pablo Neira Ayuso, netfilter Mike, On Mon, 1 Jun 2020 07:58:49 -0700 Mike Dillinger <miked@softtalker.com> wrote: > > *From:* Pablo Neira Ayuso [mailto:pablo@netfilter.org] > > *To:* Mike Dillinger <miked@softtalker.com> > > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com > > *Date:* Monday, June 1, 2020, 5:41 AM PDT > > *Subject:* nftables: Strange Error When Adding Element to Named Set > > Do you have a simple reproducer? That would help us. > > > > This is a set with the interval flag set on, correct? > > Hi Pablo, > > Yes, that is correct (interval flag is used/enabled). Here is my > set definition:    set blacklist4-ip-12h { >        type ipv4_addr >        flags interval,timeout >        timeout 12h >        gc-interval 1m >    } > > As for a reproducer, it is simple but it takes about 12 hours of > uptime for the issue to surface. My script parses syslog for > questionable IP activity and puts IP's into this set if they meet > certain criteria, and on average I'd say one or two per hour get > added to the set. Let me do some experiments and get back to you. I > will roll the kernel forward to the problematic version and report > back later or tomorrow. In the meantime, please let me know if you > have any suggestions on how to accelerate the issue. > > Hmmm... actually now that I think about this some more, the set > expires entries at the 12 hour interval. Could this possibly be > related to the first few IP expiration(s)? I will go with that > theory and try to reproduce with a set timeout of 1m or 5m, and > report back. Yes, that might help. By the way, your kernel (based on 5.6.8 upstream, not 5.6.14 -- that's the Debian package version) also contains: commit 340eaff651160234bdbce07ef34b92a8e45cd540 Author: Phil Sutter <phil@nwl.cc> Date: Mon May 11 15:31:41 2020 +0200 netfilter: nft_set_rbtree: Add missing expired checks so any issue in that sense should be fixed. See the changelog at: https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_5.6.14-1_changelog Anyway, my further question is whether at the moment of the insertion there's an overlapping address already in the set, or the inserted address is included in an interval also already present in the set. What is "a.b.c.d" in your earlier report? Is it a single address or an interval? Once the failure is detected, would it be possible to automatically dump the ruleset (nft list ruleset)? -- Stefano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-01 15:48 ` Stefano Brivio @ 2020-06-01 16:13 ` Mike Dillinger 0 siblings, 0 replies; 16+ messages in thread From: Mike Dillinger @ 2020-06-01 16:13 UTC (permalink / raw) To: Stefano Brivio; +Cc: Pablo Neira Ayuso, netfilter > *From:* Stefano Brivio [mailto:sbrivio@redhat.com] > *To:* Mike Dillinger <miked@softtalker.com> > *Cc:* Pablo Neira Ayuso <pablo@netfilter.org>, netfilter@vger.kernel.org > *Date:* Monday, June 1, 2020, 8:48 AM PDT > *Subject:* nftables: Strange Error When Adding Element to Named Set > > Yes, that might help. By the way, your kernel (based on 5.6.8 upstream, > not 5.6.14 -- that's the Debian package version) also contains: > > commit 340eaff651160234bdbce07ef34b92a8e45cd540 > Author: Phil Sutter <phil@nwl.cc> > Date: Mon May 11 15:31:41 2020 +0200 > > netfilter: nft_set_rbtree: Add missing expired checks > > so any issue in that sense should be fixed. See the changelog at: > https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_5.6.14-1_changelog > > Anyway, my further question is whether at the moment of the insertion > there's an overlapping address already in the set, or the inserted > address is included in an interval also already present in the set. > What is "a.b.c.d" in your earlier report? Is it a single address or an > interval? > > Once the failure is detected, would it be possible to automatically dump > the ruleset (nft list ruleset)? > Hi Stefan, I just saw this message after I sent out my detailed repro scenario. Please let me know if I did something wrong and/or you would like me to dump the entire ruleset, or anything else for that matter. I am hoping the repro scenario covers everything. I can answer one of your questions. At the moment of insertion, there are no overlapping ranges in my set. I originally thought I wanted to declare CIDR's/ranges but never ended up doing that, but the table was originally created using intervals. I've always used individual IP addresses. "a.b.c.d" is an IP address in all of my correspondence, not a CIDR nor a range. Thanks! -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-01 14:58 ` Mike Dillinger 2020-06-01 15:48 ` Stefano Brivio @ 2020-06-01 16:07 ` Mike Dillinger 2020-06-02 13:28 ` Mike Dillinger 1 sibling, 1 reply; 16+ messages in thread From: Mike Dillinger @ 2020-06-01 16:07 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter, sbrivio Yes, I have found a way to reproduce it. Add the set: nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags interval,timeout \; timeout 1m \; gc-interval 1m\;} We're not concerned about the IP's that are added to the set because there are no rules covering what to do with the set contents. I wrote a bash script called nftables-bug-repro: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m This script actually shows some other odd behavior. In addition to the inaccurate information of IP's already being in the list, the kernel seems to create its own interval/ranges. Running the script every minute creates a different set of errors too. This definitely seems related to the timeout setting; my other sets are working fine since reboot but I expect that to change later after IP's have expired. Below is a sample output run: $ nftables-bug-repro table ip filter { set blacklist4-ip-1m { type ipv4_addr flags interval,timeout timeout 1m gc-interval 1m } } Error: Could not process rule: File exists add element filter blacklist4-ip-1m {1.1.1.1} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {2.2.2.2} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {4.4.4.4} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {4.4.4.4} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {5.5.5.5} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {5.5.5.5} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {6.6.6.6} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {6.6.6.6} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {7.7.7.7} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {7.7.7.7} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {8.8.8.8} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {8.8.8.8} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {9.9.9.9} ^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {9.9.9.9} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: interval overlaps with an existing one add element filter blacklist4-ip-1m {10.10.10.10} ^^^^^^^^^^^ Error: Could not process rule: File exists add element filter blacklist4-ip-1m {10.10.10.10} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ table ip filter { set blacklist4-ip-1m { type ipv4_addr flags interval,timeout timeout 1m gc-interval 1m elements = { 3.3.3.3-255.255.255.255 } } } Notice the bizarre range declaration, as well as 1.1.1.1 and 2.2.2.2 missing even though the kernel claimed they were already present. Here are my kernel and nftables versions: $ uname -a Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux $ nft -v nftables v0.9.4 (Jive at Five) Thanks! -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-01 16:07 ` Mike Dillinger @ 2020-06-02 13:28 ` Mike Dillinger 2020-06-02 14:25 ` Stefano Brivio 0 siblings, 1 reply; 16+ messages in thread From: Mike Dillinger @ 2020-06-02 13:28 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter, sbrivio > *From:* Mike Dillinger [mailto:miked@softtalker.com] > *To:* Pablo Neira Ayuso <pablo@netfilter.org> > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com > *Date:* Monday, June 1, 2020, 9:07 AM PDT > *Subject:* nftables: Strange Error When Adding Element to Named Set > > Yes, I have found a way to reproduce it. > > Add the set: > nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags interval,timeout \; timeout 1m \; gc-interval 1m\;} > > We're not concerned about the IP's that are added to the set because there are no rules covering what to do with the set contents. > > I wrote a bash script called nftables-bug-repro: > #!/bin/bash > nft list set ip filter blacklist4-ip-1m > for ((i=1;i<=10;i++)); do > nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} > sleep 1 > done > nft list set ip filter blacklist4-ip-1m Hi Pablo, Stefan, et al, I wanted to check and see if anyone was able to reproduce the issue. If not, I'd like to figure out what's unique about my setup so I can resolve the issue on my end. Thanks! -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-02 13:28 ` Mike Dillinger @ 2020-06-02 14:25 ` Stefano Brivio 2020-06-02 16:38 ` Stefano Brivio 0 siblings, 1 reply; 16+ messages in thread From: Stefano Brivio @ 2020-06-02 14:25 UTC (permalink / raw) To: Mike Dillinger; +Cc: Pablo Neira Ayuso, netfilter Hi Mik, On Tue, 2 Jun 2020 06:28:31 -0700 Mike Dillinger <miked@softtalker.com> wrote: > > *From:* Mike Dillinger [mailto:miked@softtalker.com] > > *To:* Pablo Neira Ayuso <pablo@netfilter.org> > > *Cc:* netfilter@vger.kernel.org, sbrivio@redhat.com > > *Date:* Monday, June 1, 2020, 9:07 AM PDT > > *Subject:* nftables: Strange Error When Adding Element to Named Set > > > > Yes, I have found a way to reproduce it. > > > > Add the set: > > nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags > > interval,timeout \; timeout 1m \; gc-interval 1m\;} > > > > We're not concerned about the IP's that are added to the set > > because there are no rules covering what to do with the set > > contents. > > > > I wrote a bash script called nftables-bug-repro: > > #!/bin/bash > > nft list set ip filter blacklist4-ip-1m > > for ((i=1;i<=10;i++)); do > >    nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} > >    sleep 1 > > done > > nft list set ip filter blacklist4-ip-1m > > Hi Pablo, Stefan, et al, > > I wanted to check and see if anyone was able to reproduce the issue. > If not, I'd like to figure out what's unique about my setup so I can > resolve the issue on my end. I haven't tried yet. I plan to check later today, I'll let you know. I don't think there's anything unique about your setup. -- Stefano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-02 14:25 ` Stefano Brivio @ 2020-06-02 16:38 ` Stefano Brivio 2020-06-02 19:58 ` Mike Dillinger 0 siblings, 1 reply; 16+ messages in thread From: Stefano Brivio @ 2020-06-02 16:38 UTC (permalink / raw) To: Mike Dillinger; +Cc: Pablo Neira Ayuso, netfilter On Tue, 2 Jun 2020 16:25:36 +0200 Stefano Brivio <sbrivio@redhat.com> wrote: > On Tue, 2 Jun 2020 06:28:31 -0700 > Mike Dillinger <miked@softtalker.com> wrote: > > > I wanted to check and see if anyone was able to reproduce the issue. > > If not, I'd like to figure out what's unique about my setup so I can > > resolve the issue on my end. > > I haven't tried yet. I plan to check later today, I'll let you know. I > don't think there's anything unique about your setup. Mike, yes, I'm seeing a number of issues with your reproducer, debugging that now. The only kind of unique thing about your setup is that you declare a set with intervals but (I guess) you never add intervals to it. That should work in any case, but as quick workaround, you could omit the 'interval' flag in the set declaration -- assuming you're always inserting single elements. -- Stefano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: nftables: Strange Error When Adding Element to Named Set 2020-06-02 16:38 ` Stefano Brivio @ 2020-06-02 19:58 ` Mike Dillinger 2020-06-06 13:10 ` meta day not working pauloric 0 siblings, 1 reply; 16+ messages in thread From: Mike Dillinger @ 2020-06-02 19:58 UTC (permalink / raw) To: Stefano Brivio; +Cc: Pablo Neira Ayuso, netfilter > On Tue, 2 Jun 2020 16:25:36 +0200 > Stefano Brivio <sbrivio@redhat.com> wrote: > > Mike, yes, I'm seeing a number of issues with your reproducer, > debugging that now. > > The only kind of unique thing about your setup is that you declare a > set with intervals but (I guess) you never add intervals to it. That > should work in any case, but as quick workaround, you could omit the > 'interval' flag in the set declaration -- assuming you're always > inserting single elements. Hi Stefan, I was considering that myself. As of now, I only declare single elements, and no CIDR's nor ranges. I will look into changing that since the Debian testing kernel availability won't be as timely as I'd like for this particular change. Thanks for looking into this and confirming. -MikeD ^ permalink raw reply [flat|nested] 16+ messages in thread
* meta day not working 2020-06-02 19:58 ` Mike Dillinger @ 2020-06-06 13:10 ` pauloric 2020-06-06 14:37 ` Florian Westphal 0 siblings, 1 reply; 16+ messages in thread From: pauloric @ 2020-06-06 13:10 UTC (permalink / raw) To: netfilter Hi all Hope that everyone is working safety at home. I have been trying to use meta date , but is not working. I think I could not find the correct syntax, but at list I tried in many tentatives. Ubuntu server 20.04 kernel 5.6.0-1010-oem and 5.4.0-33-generic nftables 0.9.3-2 amd64 libnftnl11 1.1.5-1 libnftables1 0.9.3-2 libnfnetlink0 1.0.1-3build1 Not working: only meta day /etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception add rule inet filter INPUT ip saddr 192.168.0.0/16 meta iifname "wan1" ip protocol tcp tcp dport {53,88,123,135,139,389,445,464,636,3268,3269,5353,1024-5000} meta day "(1,3,5)" counter accept comment "ttttttt" meta day and meta hour /etc/nftables.d/gerais:2:189-193: Error: Could not parse Day of week of packet reception add rule inet filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.10.1 meta iifname "lan" ip protocol tcp tcp dport {53,88,123,135,139,389,445,464,636,3268,3269,5353,1024-5000} meta day "1,2" meta hour "8:0" - "18:0" counter accept comment "xxx" Work if I change meta day and let only one day. ip saddr 192.168.0.0/16 ip daddr 192.168.10.1 iifname "lan" ip protocol tcp tcp dport { 53, 88, 123, 135, 139, 389, 445, 464, 636, 1024-5000, 5353 } meta day "Monday" meta hour "08:00"-"18:00" counter packets 0 bytes 0 accept comment "xxx" ip saddr 192.168.0.0/16 iifname "wan1" ip protocol tcp tcp dport { 53, 88, 123, 135, 139, 389, 445, 464, 636, 1024-5000, 5353 } meta day "Wednesday" counter packets 0 bytes 0 accept comment "ttttttt" What am I doing incorrectly...? Can't I use more than 1 day in rule _+ time ? I intend use meta day + meta time as normaly this: Monday to Friday from 8:00 until 18:00hs. Thanks for you time best regards -- Paulo Ricardo Bruck consultor ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: meta day not working 2020-06-06 13:10 ` meta day not working pauloric @ 2020-06-06 14:37 ` Florian Westphal 2020-06-06 15:06 ` pauloric 0 siblings, 1 reply; 16+ messages in thread From: Florian Westphal @ 2020-06-06 14:37 UTC (permalink / raw) To: pauloric; +Cc: netfilter pauloric@contatogs.com.br <pauloric@contatogs.com.br> wrote: > only meta day > /etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception > > meta day "(1,3,5)" counter accept comment "ttttttt" Anonymous sets use curly braces "{}", not "()". ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: meta day not working 2020-06-06 14:37 ` Florian Westphal @ 2020-06-06 15:06 ` pauloric 0 siblings, 0 replies; 16+ messages in thread From: pauloric @ 2020-06-06 15:06 UTC (permalink / raw) To: netfilter shame on me...8( thanks Florian ----- Mensagem original ----- De: "Florian Westphal" <fw@strlen.de> Para: "pauloric" <pauloric@contatogs.com.br> Cc: "netfilter" <netfilter@vger.kernel.org> Enviadas: Sábado, 6 de junho de 2020 11:37:02 Assunto: Re: meta day not working > only meta day > /etc/nftables.d/gerais:17:168-176: Error: Could not parse Day of week of packet reception > > meta day "(1,3,5)" counter accept comment "ttttttt" Anonymous sets use curly braces "{}", not "()". ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2020-06-06 15:06 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-05-08 14:06 nftables: Strange Error When Adding Element to Named Set Mike Dillinger 2020-05-08 16:01 ` Pablo Neira Ayuso 2020-05-08 17:13 ` Mike Dillinger 2020-05-31 17:18 ` Mike Dillinger 2020-06-01 12:41 ` Pablo Neira Ayuso 2020-06-01 14:58 ` Mike Dillinger 2020-06-01 15:48 ` Stefano Brivio 2020-06-01 16:13 ` Mike Dillinger 2020-06-01 16:07 ` Mike Dillinger 2020-06-02 13:28 ` Mike Dillinger 2020-06-02 14:25 ` Stefano Brivio 2020-06-02 16:38 ` Stefano Brivio 2020-06-02 19:58 ` Mike Dillinger 2020-06-06 13:10 ` meta day not working pauloric 2020-06-06 14:37 ` Florian Westphal 2020-06-06 15:06 ` pauloric
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.