From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jeremy Sowden <jeremy@azazel.net>
Cc: netfilter-devel@vger.kernel.org,
Christoph Anton Mitterer <calestyo@scientia.org>
Subject: Re: bug: nft include with includedir path with globs loads files twice
Date: Thu, 25 Sep 2025 23:44:58 +0200 [thread overview]
Message-ID: <aNW32hgObaM7aJs6@calendula> (raw)
In-Reply-To: <20250925200005.GB6365@celephais.dreamlands>
On Thu, Sep 25, 2025 at 09:00:05PM +0100, Jeremy Sowden wrote:
> On 2025-09-24, at 22:23:11 +0200, Christoph Anton Mitterer wrote:
> > Hey.
> >
> > With:
> > # nft -v
> > nftables v1.1.5 (Commodore Bullmoose #6)
> > from Debian sid which uses a default include dir of:
> > # nft -h | grep includepath
> > -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc
> >
> >
> > And e.g.:
> > /etc/nftables.conf
> > #!/usr/sbin/nft -f
> >
> > flush ruleset
> >
> > table inet filter {
> > chain input {
> > type filter hook input priority filter
> > ct state {established,related} accept
> > }
> > }
> >
> > include "nftables/rules.d/*.nft"
> >
> > and:
> > /etc/nftables/rules.d/x.nft:
> > table inet filter {
> > chain bla {
> > type filter hook input priority filter
> > ip daddr 1.1.1.1 drop
> > }
> > }
> > and no other files in rules.d... nft seem to somehow include x.nft
> > twice:
> >
> > # nft -f /etc/nftables.conf; nft list ruleset
> > table inet filter {
> > chain input {
> > type filter hook input priority filter; policy accept;
> > ct state { established, related } accept
> > }
> >
> > chain bla {
> > type filter hook input priority filter; policy accept;
> > ip daddr 1.1.1.1 drop
> > ip daddr 1.1.1.1 drop
> > }
> > }
> >
> > If I change the include to "nftables/rules.d/x.nft" or to
> > "/etc/nftables/rules.d/*.nft"... it works (i.e. only one ip daddr
> > 1.1.1.1 drop).
>
> There is a Debian bug report related to this:
>
> https://bugs.debian.org/1112512
For the record:
https://git.netfilter.org/nftables/commit/?id=3af59817b8d3994d52db0f1aa5dabeebc84dae45
prev parent reply other threads:[~2025-09-25 21:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-24 20:23 bug: nft include with includedir path with globs loads files twice Christoph Anton Mitterer
2025-09-25 20:00 ` Jeremy Sowden
2025-09-25 21:44 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNW32hgObaM7aJs6@calendula \
--to=pablo@netfilter.org \
--cc=calestyo@scientia.org \
--cc=jeremy@azazel.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.