Hi, On Sun, May 31, 2020 at 10:18:29AM -0700, Mike Dillinger wrote: > > *From:* Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > > *To:* Mike Dillinger <miked@xxxxxxxxxxxxxx> > > *Cc:* netfilter@xxxxxxxxxxxxxxx > > *Date:* Friday, May 8, 2020, 9:01 AM PDT > > *Subject:* nftables: Strange Error When Adding Element to Named Set > > > > Please, make sure your Linux kernel version is >= 5.6.7 or manually > > cherry-pick this fix which was included starting that version. > > Versions from 5.6.0 to 5.6.6 include this problem you describe. > > > > See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 > > > > Author: Stefano Brivio <sbrivio@xxxxxxxxxx> > > Date: Wed Apr 1 17:14:38 2020 +0200 > > > > netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion > > commit 72239f2795fab9a58633bd0399698ff7581534a3 upstream. > > If I am reading the output of uname correctly, I am using 5.6.14 which should qualify: > $ uname -a > Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux That kernel already contains that fix, so there might be another bug. > ...yet, the problem still persists: > $ nft add element ip filter blacklist4-ip-12h { a.b.c.d } > Error: Could not process rule: File exists > add element ip filter blacklist4-ip-12h { a.b.c.d } > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > To confirm, everything works fine with 5.5.x kernels. Please advise > next steps with respect to 5.6.7+ kernels. Do you have a simple reproducer? That would help us. This is a set with the interval flag set on, correct?
