Re: Change in nft set element add syntax?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: Change in nft set element add syntax?
       [not found] <20220922021238.donues3tuiufzbsn@sarek.home.aplund.id.au>
@ 2022-09-22  5:40 ` Pablo Neira Ayuso
  2023-04-16 18:40   ` Jacob Middag
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-09-22  5:40 UTC (permalink / raw)
  To: Austin Lund; +Cc: netfilter

Hi,

No syntax updates have been done, see below.

On Thu, Sep 22, 2022 at 12:12:38PM +1000, Austin Lund wrote:
> Hi,
> 
> I upgraded from nft 1.0.1 to 1.0.5 and found some of the rules I have
> gave some errors.  I narrowed it down to adding to sets.  It's all
> pretty simple; the error is
> 
> > # /usr/bin/nft -c -f /etc/nftables.conf
> > /etc/nftables.conf:44:3-37: Error: Could not process rule: Operation not supported
> > 	ip saddr @badconns goto update_drop
> > 	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > /etc/nftables.conf:64:3-28: Error: Could not process rule: Invalid argument
> > 	add @badconns { ip saddr }
> > 	^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I have my nftables.conf stuff like this:
> 
> > table inet filter {
> >         set badconns { typeof ip saddr; timeout 1h; }
> >         set badconns6 { typeof ip6 saddr; timeout 1h; }
> > ...
> >         chain input {
> > ...
> >                 ip saddr @badconns goto update_drop
> >                 ip6 saddr @badconns6 goto update_drop
> > ...
> >         }
> >
> >         chain update_drop {
> >                 update @badconns { ip saddr }
> >                 update @badconns6 { ip6 saddr }
> >                 drop
> >         }
> > ...
> 
> This logic is probably somewhat broken, but it does work in the older
> version.  Should this give an error in the new version? 

This loads fine here.

# cat test.nft
table inet filter {
         set badconns { typeof ip saddr; timeout 1h; }
         set badconns6 { typeof ip6 saddr; timeout 1h; }

         chain input {
                 ip saddr @badconns goto update_drop
                 ip6 saddr @badconns6 goto update_drop
         }

         chain update_drop {
                 update @badconns { ip saddr }
                 update @badconns6 { ip6 saddr }
                 drop
         }
}
# nft -f test.nft
# echo $?
# nft list ruleset
table inet filter {
        set badconns {
                typeof ip saddr
                size 65535
                flags dynamic,timeout
                timeout 1h
        }

        set badconns6 {
                typeof ip6 saddr
                size 65535
                flags dynamic,timeout
                timeout 1h
        }

        chain input {
                ip saddr @badconns goto update_drop
                ip6 saddr @badconns6 goto update_drop
        }

        chain update_drop {
                update @badconns { ip saddr }
                update @badconns6 { ip6 saddr }
                drop
        }
}

# nft -v
nftables v1.0.5 (Lester Gooch #4)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Change in nft set element add syntax?
  2022-09-22  5:40 ` Change in nft set element add syntax? Pablo Neira Ayuso
@ 2023-04-16 18:40   ` Jacob Middag
  0 siblings, 0 replies; 2+ messages in thread
From: Jacob Middag @ 2023-04-16 18:40 UTC (permalink / raw)
  To: netfilter

On Thu, Sep 22, 2022 at 7:40â€¯AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> No syntax updates have been done, see below.
>
> On Thu, Sep 22, 2022 at 12:12:38PM +1000, Austin Lund wrote:
> > Hi,
> >
> > I upgraded from nft 1.0.1 to 1.0.5 and found some of the rules I have
> > gave some errors.  I narrowed it down to adding to sets.  It's all
> > pretty simple; the error is
> >
> > > # /usr/bin/nft -c -f /etc/nftables.conf
> > > /etc/nftables.conf:44:3-37: Error: Could not process rule: Operation not supported
> > >     ip saddr @badconns goto update_drop
> > >     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > /etc/nftables.conf:64:3-28: Error: Could not process rule: Invalid argument
> > >     add @badconns { ip saddr }
> > >     ^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
> This loads fine here.
>
> # cat test.nft
> table inet filter {
>          set badconns { typeof ip saddr; timeout 1h; }
>          set badconns6 { typeof ip6 saddr; timeout 1h; }
>
>          chain input {
>                  ip saddr @badconns goto update_drop
>                  ip6 saddr @badconns6 goto update_drop
>          }
>
>          chain update_drop {
>                  update @badconns { ip saddr }
>                  update @badconns6 { ip6 saddr }
>                  drop
>          }
> }

Hi,

I had the exact same problem and couldn't find anything except this post.
I could actually track it down to a specific commit by git bisect:
https://git.netfilter.org/nftables/commit/?id=8d443adfcc8c19effd6be9a9c903ee96e374f2e8

So it looks like setting the NFT_SET_EVAL gives the "Invalid argument" error.
If I got it correctly, this flag is equivalent to adding the dynamic
flag in the named set.
When setting it explicitly in the example with "flags dynamic",
it also breaks with the earlier commits, including version 1.0.1.

This led me to believe it is actually a problem in the kernel module,
and I found out I was using a very old kernel (4.9) without this patch:
https://lore.kernel.org/lkml/20191010083512.320042206@linuxfoundation.org/

Updating the Linux kernel to 5.15 fixed the problem for me.

Jacob

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-04-16 18:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20220922021238.donues3tuiufzbsn@sarek.home.aplund.id.au>
2022-09-22  5:40 ` Change in nft set element add syntax? Pablo Neira Ayuso
2023-04-16 18:40   ` Jacob Middag

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.