* bug: nft include with includedir path with globs loads files twice
@ 2025-09-24 20:23 Christoph Anton Mitterer
2025-09-25 20:00 ` Jeremy Sowden
0 siblings, 1 reply; 3+ messages in thread
From: Christoph Anton Mitterer @ 2025-09-24 20:23 UTC (permalink / raw)
To: netfilter-devel
Hey.
With:
# nft -v
nftables v1.1.5 (Commodore Bullmoose #6)
from Debian sid which uses a default include dir of:
# nft -h | grep includepath
-I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc
And e.g.:
/etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter
ct state {established,related} accept
}
}
include "nftables/rules.d/*.nft"
and:
/etc/nftables/rules.d/x.nft:
table inet filter {
chain bla {
type filter hook input priority filter
ip daddr 1.1.1.1 drop
}
}
and no other files in rules.d... nft seem to somehow include x.nft
twice:
# nft -f /etc/nftables.conf; nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
}
chain bla {
type filter hook input priority filter; policy accept;
ip daddr 1.1.1.1 drop
ip daddr 1.1.1.1 drop
}
}
If I change the include to "nftables/rules.d/x.nft" or to
"/etc/nftables/rules.d/*.nft"... it works (i.e. only one ip daddr
1.1.1.1 drop).
Thanks,
Chris.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bug: nft include with includedir path with globs loads files twice
2025-09-24 20:23 bug: nft include with includedir path with globs loads files twice Christoph Anton Mitterer
@ 2025-09-25 20:00 ` Jeremy Sowden
2025-09-25 21:44 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Jeremy Sowden @ 2025-09-25 20:00 UTC (permalink / raw)
To: netfilter-devel; +Cc: Christoph Anton Mitterer
[-- Attachment #1: Type: text/plain, Size: 1559 bytes --]
On 2025-09-24, at 22:23:11 +0200, Christoph Anton Mitterer wrote:
> Hey.
>
> With:
> # nft -v
> nftables v1.1.5 (Commodore Bullmoose #6)
> from Debian sid which uses a default include dir of:
> # nft -h | grep includepath
> -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc
>
>
> And e.g.:
> /etc/nftables.conf
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> table inet filter {
> chain input {
> type filter hook input priority filter
> ct state {established,related} accept
> }
> }
>
> include "nftables/rules.d/*.nft"
>
> and:
> /etc/nftables/rules.d/x.nft:
> table inet filter {
> chain bla {
> type filter hook input priority filter
> ip daddr 1.1.1.1 drop
> }
> }
> and no other files in rules.d... nft seem to somehow include x.nft
> twice:
>
> # nft -f /etc/nftables.conf; nft list ruleset
> table inet filter {
> chain input {
> type filter hook input priority filter; policy accept;
> ct state { established, related } accept
> }
>
> chain bla {
> type filter hook input priority filter; policy accept;
> ip daddr 1.1.1.1 drop
> ip daddr 1.1.1.1 drop
> }
> }
>
> If I change the include to "nftables/rules.d/x.nft" or to
> "/etc/nftables/rules.d/*.nft"... it works (i.e. only one ip daddr
> 1.1.1.1 drop).
There is a Debian bug report related to this:
https://bugs.debian.org/1112512
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 931 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bug: nft include with includedir path with globs loads files twice
2025-09-25 20:00 ` Jeremy Sowden
@ 2025-09-25 21:44 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2025-09-25 21:44 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: netfilter-devel, Christoph Anton Mitterer
On Thu, Sep 25, 2025 at 09:00:05PM +0100, Jeremy Sowden wrote:
> On 2025-09-24, at 22:23:11 +0200, Christoph Anton Mitterer wrote:
> > Hey.
> >
> > With:
> > # nft -v
> > nftables v1.1.5 (Commodore Bullmoose #6)
> > from Debian sid which uses a default include dir of:
> > # nft -h | grep includepath
> > -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc
> >
> >
> > And e.g.:
> > /etc/nftables.conf
> > #!/usr/sbin/nft -f
> >
> > flush ruleset
> >
> > table inet filter {
> > chain input {
> > type filter hook input priority filter
> > ct state {established,related} accept
> > }
> > }
> >
> > include "nftables/rules.d/*.nft"
> >
> > and:
> > /etc/nftables/rules.d/x.nft:
> > table inet filter {
> > chain bla {
> > type filter hook input priority filter
> > ip daddr 1.1.1.1 drop
> > }
> > }
> > and no other files in rules.d... nft seem to somehow include x.nft
> > twice:
> >
> > # nft -f /etc/nftables.conf; nft list ruleset
> > table inet filter {
> > chain input {
> > type filter hook input priority filter; policy accept;
> > ct state { established, related } accept
> > }
> >
> > chain bla {
> > type filter hook input priority filter; policy accept;
> > ip daddr 1.1.1.1 drop
> > ip daddr 1.1.1.1 drop
> > }
> > }
> >
> > If I change the include to "nftables/rules.d/x.nft" or to
> > "/etc/nftables/rules.d/*.nft"... it works (i.e. only one ip daddr
> > 1.1.1.1 drop).
>
> There is a Debian bug report related to this:
>
> https://bugs.debian.org/1112512
For the record:
https://git.netfilter.org/nftables/commit/?id=3af59817b8d3994d52db0f1aa5dabeebc84dae45
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-25 21:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-24 20:23 bug: nft include with includedir path with globs loads files twice Christoph Anton Mitterer
2025-09-25 20:00 ` Jeremy Sowden
2025-09-25 21:44 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).