Hello,
This has been a problem since my kernel was upgraded to 5.6. Everything was fine prior to that where I was running the 5.5 kernel.
I'm running Debian testing and here is some information regarding my system:
$ uname -a
Linux rockenfield 5.6.0-1-amd64 #1 SMP Debian 5.6.7-1 (2020-04-29) x86_64 GNU/Linux
$ nft -v
nftables v0.9.4 (Jive at Five)
I have a script that blocks IP's by adding them to a named set, and the named set has a 12 hour expiration. After about a day of uptime, I start getting the following error. I'm obfuscating the IP address with "a.b.c.d".
$ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
Error: Could not process rule: File exists
add element ip filter blacklist4-ip-12h { a.b.c.d }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I can check the named set and no such IP address exists, and double checked using grep. Here's the kicker: if I reboot, it works fine. The blacklist4-ip-12h set has 191 IP's so it shouldn't be a matter of too many IP's. I've had up to 300 in the set before with no problems. If I had too many IP's, I'd expect the same behavior after a reboot which is not the case. It's not an issue with any particular IP address; rather it disallows anything being added to the named set entirely. Here are the properties of the set in case something is wrong there:
set blacklist4-ip-12h {
type ipv4_addr
flags interval,timeout
timeout 12h
gc-interval 1m
}
If the set properties look OK, then I'm fairly confident this is a bug. I wanted to know if it's a kernel issue or an nftables issue, and also where to go to file a bug, and I can take it from there. I'm not sure when nftables was upgraded if we're suspecting nftables. I'd need to do some digging.
Any help is greatly appreciated. Having to reboot daily to work around this issue is not desirable.
Thank you!
-MikeD
