Dear nftables-developers,
at Selfnet, we have been operating our CGN based on nftables for roughly 4 years now (at that time we switched from iptables). Recently, we have upgraded our first server from Debian bullseye (Kernel 5.10, nftables 0.9.8) to bookworm (Kernel 6.1, nftables 1.0.6). On bookworm, our ruleset that works well on bullseye fails to load.
We have boiled it down to the minimal example attached, which fails to load correctly on bookworm and also on a current Arch-Linux.
xxxxx@xxxxx:~$ sudo nft -f example.conf
example.conf:5:35-48: Error: Could not process rule: No such file or directory
add element inet filter testmap { 192.168.0.0/24 : "TEST" }
^^^^^^^^^^^^^^
What we have tested:
- Removing the last line from the file and running it later manually via the command line, there is no error
- Splitting the file in two (having the final line in a separate file), the two files can be applied with two nft -f calls with no error
- When swapping the lines 3 and 4 (i.e. first add counter, then add map), there is no error applying the file
- Removing "flags: interval" from the map and testing with a single IP, there is no error applying the file
In summary, I believe our rule syntax is ok - but something is going wrong when the rules are applied in the given order atomically with "nft -f". We appreciate any insight, please also let us know if we did something wrong or if we can assist with debugging further.
Thank you and best Regards,
Jannflush ruleset
add table inet filter
add map inet filter testmap { type ipv4_addr : counter; flags interval;}
add counter inet filter TEST
add element inet filter testmap { 192.168.0.0/24 : "TEST" }
