Cannot reference sets in later rules until next nft run

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear list,
I am trying to create an nft ruleset that uses the include directive and a run-parts.d style directory for additions to the main ruleset.
I've run into a problem with nft v0.9.8 on kernel 5.10.0, which I summarise as follows: If a rule in the main ruleset defines a set then I cannot use that set outside the current scope until a later run of nft. 

Let me illustrate:

I have the following files (please find them attached):

  ==> inc.d/20-ssh.nft <==
  table inet test {

      set recent_ssh_connections4 { type ipv4_addr; timeout 30s; }

      chain incoming_ssh {
          update @recent_ssh_connections4 { ip saddr } \
              accept comment "SSH connections"
      }

      chain input {
          tcp flags syn tcp dport 22 counter jump incoming_ssh
      }
  }

  ==> inc.d/50-mosh_ports_v4.nft <==
  add rule inet test input \
    ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
    comment "Portrange required for mosh"

  ==> ruleset.nft <==
  table inet test {

      chain input {
      	type filter hook input priority filter;

      }
  }

  include "./inc.d/*.nft"

When I try to load this ruleset, it fails (debug output is attached):
% sudo nft -f ruleset.nft In file included from ruleset.nft:9:1-24: 
  ./inc.d/50-mosh_ports_v4.nft:2:12-35: Error: No such file or directory
    ip saddr @recent_ssh_connections4 udp dport 60000-61000 counter accept \
             ^^^^^^^^^^^^^^^^^^^^^^^^
If I load the included files with a separate invocation of nft, it works: 

  % sed '/^include/d' ruleset.nft | sudo nft -f -
  % for f in inc.d/*.nft; do sudo nft -f $f; done
At first, I thought this was a problem with include, but even if I replace the include directive with the contents of the files it would include, the error is the same.
The error also stays if I convert the command-style content of inc.d/50-mosh_ports_v4.nft to the native format.
The only way to make this work is to include the rules within the main and first table declaration in ruleset.nft, which means it's not possible to use sets in include files. 

Is this a bug, or am I doing something wrong?

--
@martinkrafft | https://matrix.to/#/#madduck:madduck.net
"i can stand brute force, but brute reason is quite unbearable. there 
 is something unfair about its use. it is hitting below the
 intellect."
                                                      -- oscar wilde
spamtraps: madduck.bogus@xxxxxxxxxxx

Attachment: nft-problem-files.tar.gz
Description: application/gzip

Attachment: nft-debug-output.gz
Description: application/gzip

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux