Re: Nftables / ipset / multiple tables

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, Dec 13, 2016 at 08:06:27PM -0800, Mark Morgan wrote:
> Great ideas, thank you both. I tried Pablo's suggestion and have an
> error. Here's what it looks like:
> 
> # nftables.conf
> include "/etc/nftables.country-block"
> table inet filter {
>   set country-block {
>     type ipv4_addr; flags interval;
>     elements = $country_block_list
>   }
> }
> 
> # nftables.country-block
> define country_block_list = {
>           1.160.0.0/12, 1.192.0.0/13, 1.200.0.0/16, 1.202.0.0/15, 1.204.0.0/14,
>           # .... many lines here
>         223.240.0.0/13, 223.4.0.0/14, 223.64.0.0/11
>     }
> 
> And when I try to reload nftables, I receive the error:
> 
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]: /etc/nftables.conf:82:16-16:
> Error: syntax error, unexpected '$', expecting '{'
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]:     elements = $country_block_list
> Dec 13 19:56:18 ip-172-31-46-95 nft[563]:                ^
> 
> Did I do something wrong? Versions if it matters (Arch Linux):
>
> > uname -r -m
> 4.4.36-1-ec2-lts x86_64
> > nft --version
> nftables v0.6 (Support Edward Snowden)

This is fixed at git.netfilter.org, it would be great if you can test
this and confirm. We're preparing a release soon.

What I sent you works here.

> I tried Leon's suggested approach and it just coredumps:
> 
> # nftables.conf
> table inet filter {
>   set country-block {
>     type ipv4_addr; flags interval;
>   }
> }
> include "/etc/nftables.country-block"
> 
> # nftables.country-block
> add element inet filter country-block {
>         1.160.0.0/12, 1.192.0.0/13, 1.200.0.0/16, 1.202.0.0/15, 1.204.0.0/14,
>         # ... blah blah
>         223.240.0.0/13, 223.4.0.0/14, 223.64.0.0/11
>     }
> 
> -- Unit nftables.service has begun starting up.
> Dec 13 20:00:35 ip-172-31-46-95 kernel: nft[616]: segfault at 70 ip
> 000000000041d662 sp 00007ffc1b3f8db0 error 4 in nft[400000+56000]
> Dec 13 20:00:35 ip-172-31-46-95 systemd[1]: Started Process Core Dump
> (PID 618/UID 0).
> -- Subject: Unit systemd-coredump@2-618-0.service has finished start-up
> 
> Also in case size is a possible issue, here's word count on my
> country-block file:
> 
> > wc nftables.country-block
>   213   952 16532 nftables.country-block
> 
> Skipping 10-15 words of meta information, that's approximately ~940
> CIDR blocks in the list.
> 
> Should I try different versions of nftables or a newer kernel?  Or for
> the core dumping issue, feel free to point me at some docs for how to
> capture useful debug information for the devs and I'm happy to read up
> and submit a bug report.

Yes, try newer libnftnl and nftables at git.netfilter.org and get back
to us if you still have problems.