Hi Jann,
On Wed, Sep 13, 2023 at 07:42:01PM +0200, Jann Haber wrote:
> Dear nftables-developers,
>
> at Selfnet, we have been operating our CGN based on nftables for
> roughly 4 years now (at that time we switched from iptables).
> Recently, we have upgraded our first server from Debian bullseye
> (Kernel 5.10, nftables 0.9.8) to bookworm (Kernel 6.1, nftables
> 1.0.6). On bookworm, our ruleset that works well on bullseye fails
> to load.
>
> We have boiled it down to the minimal example attached, which fails
> to load correctly on bookworm and also on a current Arch-Linux.
>
> xxxxx@xxxxx:~$ sudo nft -f example.conf
> example.conf:5:35-48: Error: Could not process rule: No such file or directory
> add element inet filter testmap { 192.168.0.0/24 : "TEST" }
> ^^^^^^^^^^^^^^
> What we have tested:
> - Removing the last line from the file and running it later manually
> via the command line, there is no error
> - Splitting the file in two (having the final line in a separate
> file), the two files can be applied with two nft -f calls with no
> error
> - When swapping the lines 3 and 4 (i.e. first add counter, then add
> map), there is no error applying the file
> - Removing "flags: interval" from the map and testing with a single
> IP, there is no error applying the file
>
> In summary, I believe our rule syntax is ok - but something is going
> wrong when the rules are applied in the given order atomically with
> "nft -f". We appreciate any insight, please also let us know if we
> did something wrong or if we can assist with debugging further.
I can reproduce it, this is a userspace bug which happens with
interval sets in nft_cmd_post_expand(), I will post a fix asap.
> flush ruleset
> add table inet filter
> add map inet filter testmap { type ipv4_addr : counter; flags interval;}
> add counter inet filter TEST
> add element inet filter testmap { 192.168.0.0/24 : "TEST" }
Thanks for the detailed report, I will also add this test case to
improve coverage.
