*From:* Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx]
*To:* Mike Dillinger <miked@xxxxxxxxxxxxxx>
*Cc:* netfilter@xxxxxxxxxxxxxxx
*Date:* Friday, May 8, 2020, 9:01 AM PDT
*Subject:* nftables: Strange Error When Adding Element to Named Set
Please, make sure your Linux kernel version is >= 5.6.7 or manually
cherry-pick this fix which was included starting that version.
Versions from 5.6.0 to 5.6.6 include this problem you describe.
See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7
Author: Stefano Brivio <sbrivio@xxxxxxxxxx>
Date: Wed Apr 1 17:14:38 2020 +0200
netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream.
If I am reading the output of uname correctly, I am using 5.6.14 which should qualify:
$ uname -a
Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux
...yet, the problem still persists:
$ nft add element ip filter blacklist4-ip-12h { a.b.c.d }
Error: Could not process rule: File exists
add element ip filter blacklist4-ip-12h { a.b.c.d }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To confirm, everything works fine with 5.5.x kernels. Please advise next steps with respect to 5.6.7+ kernels.
Thanks,
-MikeD
