On Thu, Sep 14, 2023 at 12:52:24AM +0200, Pablo Neira Ayuso wrote:
> Hi Jann,
>
> On Wed, Sep 13, 2023 at 07:42:01PM +0200, Jann Haber wrote:
> > Dear nftables-developers,
> >
> > at Selfnet, we have been operating our CGN based on nftables for
> > roughly 4 years now (at that time we switched from iptables).
> > Recently, we have upgraded our first server from Debian bullseye
> > (Kernel 5.10, nftables 0.9.8) to bookworm (Kernel 6.1, nftables
> > 1.0.6). On bookworm, our ruleset that works well on bullseye fails
> > to load.
> >
> > We have boiled it down to the minimal example attached, which fails
> > to load correctly on bookworm and also on a current Arch-Linux.
> >
> > xxxxx@xxxxx:~$ sudo nft -f example.conf
> > example.conf:5:35-48: Error: Could not process rule: No such file or directory
> > add element inet filter testmap { 192.168.0.0/24 : "TEST" }
> > ^^^^^^^^^^^^^^
> > What we have tested:
> > - Removing the last line from the file and running it later manually
> > via the command line, there is no error
> > - Splitting the file in two (having the final line in a separate
> > file), the two files can be applied with two nft -f calls with no
> > error
> > - When swapping the lines 3 and 4 (i.e. first add counter, then add
> > map), there is no error applying the file
> > - Removing "flags: interval" from the map and testing with a single
> > IP, there is no error applying the file
> >
> > In summary, I believe our rule syntax is ok - but something is going
> > wrong when the rules are applied in the given order atomically with
> > "nft -f". We appreciate any insight, please also let us know if we
> > did something wrong or if we can assist with debugging further.
>
> I can reproduce it, this is a userspace bug which happens with
> interval sets in nft_cmd_post_expand(), I will post a fix asap.
Proposed patch to address this issue:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230916143549.57646-1-pablo@xxxxxxxxxxxxx/
I am taking a look at the second issue you are reporting, I will
follow up.
Thanks.
