Yes, I have found a way to reproduce it.
Add the set:
nft add set ip filter blacklist4-ip-1m {type ipv4_addr\; flags interval,timeout \; timeout 1m \; gc-interval 1m\;}
We're not concerned about the IP's that are added to the set because there are no rules covering what to do with the set contents.
I wrote a bash script called nftables-bug-repro:
#!/bin/bash
nft list set ip filter blacklist4-ip-1m
for ((i=1;i<=10;i++)); do
nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
sleep 1
done
nft list set ip filter blacklist4-ip-1m
This script actually shows some other odd behavior. In addition to the inaccurate information of IP's already being in the list, the kernel seems to create its own interval/ranges. Running the script every minute creates a different set of errors too. This definitely seems related to the timeout setting; my other sets are working fine since reboot but I expect that to change later after IP's have expired. Below is a sample output run:
$ nftables-bug-repro
table ip filter {
set blacklist4-ip-1m {
type ipv4_addr
flags interval,timeout
timeout 1m
gc-interval 1m
}
}
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {1.1.1.1}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {2.2.2.2}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {4.4.4.4}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {4.4.4.4}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {5.5.5.5}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {5.5.5.5}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {6.6.6.6}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {6.6.6.6}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {7.7.7.7}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {7.7.7.7}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {8.8.8.8}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {8.8.8.8}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {9.9.9.9}
^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {9.9.9.9}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: interval overlaps with an existing one
add element filter blacklist4-ip-1m {10.10.10.10}
^^^^^^^^^^^
Error: Could not process rule: File exists
add element filter blacklist4-ip-1m {10.10.10.10}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
table ip filter {
set blacklist4-ip-1m {
type ipv4_addr
flags interval,timeout
timeout 1m
gc-interval 1m
elements = { 3.3.3.3-255.255.255.255 }
}
}
Notice the bizarre range declaration, as well as 1.1.1.1 and 2.2.2.2 missing even though the kernel claimed they were already present.
Here are my kernel and nftables versions:
$ uname -a
Linux rockenfield 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux
$ nft -v
nftables v0.9.4 (Jive at Five)
Thanks!
-MikeD
