From: Nathan Wagner <nw@hydaspes.if.org>
To: netfilter@vger.kernel.org
Subject: nft list empty
Date: Tue, 26 Oct 2021 19:28:00 +0000 [thread overview]
Message-ID: <YXhWwPas9vnN2XDi@granicus.if.org> (raw)
For some reason, 'nft list ...' doesn't seem to print anything out.
A nft create table seems to create the table, but other than an
error if I try to create it again, I don't have any way to tell.
I am probably missing something, but I have looked around and
don't see what it could be. I worked up a script to reproduce
the issue, the output of which is below.
What is especially puzzling is that a 'list ruleset' within the same
nft process shows output, so it's like nft just isn't committing the
changes for some reason. Except that doing two creates in a row
generates an error that I interpret to mean that the table already
exists. This also implies that the table create persisted across
separate nft processes.
Finally and separately, I tried doing an 'echo list ruleset | nft -f -'
and it errors out with a missing /dev/stdin. Ok, my /dev filesystem is
probably broken, but why is it trying to open /dev/stdin in the first
place instead of just reading from fd 0? I imagine that somewhere
there's the equivalent of an "if filename = '-' then filename =
'/dev/stdin' and then it goes through the same process it uses for named
files. I'd do this the other way around.
+ uname -r
4.15.10-2-zoranix
+ lsmod
+ grep nf
nft_set_rbtree 16384 0
nft_set_hash 24576 0
nft_set_bitmap 16384 0
nft_reject 16384 0
nft_counter 16384 0
nf_tables_inet 16384 0
nf_tables_ipv6 16384 1 nf_tables_inet
nf_tables_ipv4 16384 5 nf_tables_inet
nf_tables 94208 8 nft_set_bitmap,nft_reject,nft_set_hash,nf_tables_ipv6,nf_tables_ipv4,nft_set_rbtree,nft_counter,nf_tables_inet
configs 45056 0
+ nft flush ruleset
+ nft list ruleset
+ nft create table ip filter
+ nft list ruleset
+ nft create table ip filter
Error: Could not process rule: File exists
create table ip filter
^^^^^^^^^^^^^^^^^^^^^^^
+ cat new/bare
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain input { type filter hook input priority 0; policy accept; }
chain forward { type filter hook forward priority 0; policy accept; }
chain output { type filter hook output priority 0; policy accept; }
}
list ruleset
+ /usr/sbin/nft -f new/bare
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
+ nft list ruleset
+ echo flush ruleset
+ /usr/sbin/nft -f -
internal:0:0-0: Error: Could not open file "/dev/stdin": No such file or directory
--
nw
next reply other threads:[~2021-10-26 19:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 19:28 Nathan Wagner [this message]
2021-10-26 20:32 ` nft list empty Benno
2021-10-26 20:58 ` Nathan Wagner
2021-10-26 22:40 ` Pablo Neira Ayuso
2021-10-27 5:49 ` Nathan Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YXhWwPas9vnN2XDi@granicus.if.org \
--to=nw@hydaspes.if.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox