Re: errors found in nftable docs on wiki

Jonathan Johnson <ecybernard@xxxxxxxxx> · Wed, 2 Jul 2014 19:55:38 -0500

after:
nft add rule blackhole chain1 ip saddr @set1 counter accept

result:

nft[23409]: segfault at 7f8f5b809bbe ip 00007f8e9fe71f4e sp
00007fff6829d178 error 4 in libc-2.18.so[7f8e9fde2000+1a5000]

after that I proceeded to populate the list and got additional errors.
I used:
for i in `cat all3.txt`;do nft add element blackhole set1 { $i };done

To start loading in my 30,000+ enteries.

nft: src/netlink.c:205: alloc_nft_setelem: Assertion `expr->ops->type
== EXPR_MAPPING' failed.
Aborted

Eventually, after a few hundred it completes.  Does nft support cidr
(1.1.1.0/24) notation?

So I guess the segmentation fault is my last problem.

Jonathan

On Wed, Jul 2, 2014 at 1:56 AM, Arturo Borrero Gonzalez
<arturo.borrero.glez@xxxxxxxxx> wrote:
> On 2 July 2014 06:44, Jonathan Johnson <ecybernard@xxxxxxxxx> wrote:
>> I tried to implement the syntax above with no luck.  I have no idea
>> what I am supposed to do, and I am blindly stabbing around with trial
>> and error trying to figure this out.  Why don't you just provide me
>> with a complete example and make it easy for me?  All the examples I
>> find are broken,wrong, or incomplete.
>>
>
> Well, I just succesfully tested this:
>
> nft add table blackhole
> nft list table blackhole
> table ip blackhole {
> }
>
> nft add set blackhole set1 { type ipv4_addr\; }
>
> nft list table blackhole
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>    }
> }
>
> nft add element blackhole set1 {1.1.1.1, 2.2.2.2, 3.3.3.3}
>
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>    type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
> }
>
> nft add chain blackhole chain1
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
>
>    chain chain1 {
>    }
> }
>
> nft add rule blackhole chain1 ip saddr @set1 counter accept
> nft list table blackhole -nnn
> table ip blackhole {
>    set set1 {
>       type ipv4_addr
>       elements = { 3.3.3.3, 2.2.2.2, 1.1.1.1}
>    }
>
>    chain chain1 {
>       ip saddr @set1 counter packets 0 bytes 0 accept
>    }
> }
>
> --
> Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html