In the process of trying to replace an Ubuntu box with a Debian one, I
brought over the running config (v0.8.3), modified the defines for the
changed IP addresses, and found that it was failing under v0.9.0.
At first thinking this was a problem with timing (VLAN interfaces coming
up after nft had run), I started double checking that I was using
[o|i]ifname and not just [o|i]if. After getting to the point of no
progress, I started commenting out the define statements and hard-coding
interface names.
It now looks as though the error messaging is still misplaced when
include is used (specific, numeric VLAN replaced with NNN here)
jeff@apu3:/usr/local/etc/firewall$ sudo nft -c -f nftables.conf
In file included from ./accept_ipv6_link_local.nft:3:1-32:
from nftables.conf:92:5-43:
./defines_if_mgmt.nft:1:17-25: Error: Interface does not exist
# define if_mgmt = { enp2s0.102 }
^^^^^^^^^
It's still pointing to something in those columns, but certainly not an
interface. The error indicators pretty clearly aren't referring to that line
jeff@apu3:/usr/local/etc/firewall$ sudo nft -c -f nftables.conf
In file included from ./accept_ipv6_link_local.nft:3:1-32:
from nftables.conf:92:5-43:
./defines_if_mgmt.nft:1:17-25: Error: Interface does not exist
########################## define if_mgmt = { enp2s0.102 }
^^^^^^^^^
or completely removing the line and blank lines following
jeff@apu3:/usr/local/etc/firewall$ sudo nft -c -f nftables.conf
In file included from ./accept_ipv6_link_local.nft:3:1-32:
from nftables.conf:92:5-43:
./defines_if_mgmt.nft:1:17-25: Error: Interface does not exist
define if_mgmt_addrs_ipv4 = { 10.1.102.198 }
^^^^^^^^^
Very puzzling as well in that on the running (long past boot), nft -c -f
nftables.conf shows the error, yet ip link clearly shows that the
interface exists.
In file included from ./accept_ipv6_link_local.nft:3:1-32:
is misleading as well, as there are no include statements in that file.
cut -c 17-25 * | egrep ^[0-9a-z.]+$ | less
provided the clue as the string, which turned out to be in the file
defines_if_internal.nft, just before the one in which it was reported
defines_if_mgmt
include "./defines_if_external.nft"
include "./defines_if_internal.nft"
include "./defines_if_mgmt.nft
I haven't figured out why accept_ipv6_link_local.nft is mentioned, but
it looks like the problems with error reporting context still haven't
been resolved.
The core of the problem is that there is a VLAN that is not configured
on the "new" box that was present on the "old" box. "Error: Interface
does not exist" is correct, but the message was not identifies with the
right source, nor with the right include sequence.
Happy to supply additional details or the set of files as might be
helpful to the developers.
Jeff
