On Thu, Sep 22, 2022 at 7:40 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> No syntax updates have been done, see below.
>
> On Thu, Sep 22, 2022 at 12:12:38PM +1000, Austin Lund wrote:
> > Hi,
> >
> > I upgraded from nft 1.0.1 to 1.0.5 and found some of the rules I have
> > gave some errors. I narrowed it down to adding to sets. It's all
> > pretty simple; the error is
> >
> > > # /usr/bin/nft -c -f /etc/nftables.conf
> > > /etc/nftables.conf:44:3-37: Error: Could not process rule: Operation not supported
> > > ip saddr @badconns goto update_drop
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > /etc/nftables.conf:64:3-28: Error: Could not process rule: Invalid argument
> > > add @badconns { ip saddr }
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
> This loads fine here.
>
> # cat test.nft
> table inet filter {
> set badconns { typeof ip saddr; timeout 1h; }
> set badconns6 { typeof ip6 saddr; timeout 1h; }
>
> chain input {
> ip saddr @badconns goto update_drop
> ip6 saddr @badconns6 goto update_drop
> }
>
> chain update_drop {
> update @badconns { ip saddr }
> update @badconns6 { ip6 saddr }
> drop
> }
> }
Hi,
I had the exact same problem and couldn't find anything except this post.
I could actually track it down to a specific commit by git bisect:
https://git.netfilter.org/nftables/commit/?id=8d443adfcc8c19effd6be9a9c903ee96e374f2e8
So it looks like setting the NFT_SET_EVAL gives the "Invalid argument" error.
If I got it correctly, this flag is equivalent to adding the dynamic
flag in the named set.
When setting it explicitly in the example with "flags dynamic",
it also breaks with the earlier commits, including version 1.0.1.
This led me to believe it is actually a problem in the kernel module,
and I found out I was using a very old kernel (4.9) without this patch:
https://lore.kernel.org/lkml/20191010083512.320042206@xxxxxxxxxxxxxxxxxxx/
Updating the Linux kernel to 5.15 fixed the problem for me.
Jacob
