On Wed, Nov 22, 2023 at 07:35:59PM +0100, Kamil Jońca wrote:
> sudo nft --version
> nftables v1.0.9 (Old Doc Yak #3)
>
> Recently my nftables debian service started to ends with error:
>
> --8<---------------cut here---------------start------------->8---
> Nov 22 19:18:56 alfa systemd[1]: Starting nftables.service - nftables...
> Nov 22 19:18:57 alfa nft[2242551]: nft: datatype.c:1264: datatype_free: Assertion `dtype->refcnt != 0' failed.
> Nov 22 19:18:57 alfa systemd[1]: nftables.service: Failed with result 'signal'.
> Nov 22 19:18:57 alfa systemd[1]: Failed to start nftables.service - nftables.
>
> --8<---------------cut here---------------end--------------->8---
>
> After some investigating I found that nft does not like definition;
>
> --8<---------------cut here---------------start------------->8---
> table ip filter {
> ...
> map ipsec_in {
> typeof ipsec in reqid . iif : verdict
> flags interval
> }
> ...
>
> chain INPUT {
> type filter hook input priority 0; policy drop
> ...
> ipsec in reqid . iif vmap @ipsec_in
> ...
> }
> ...
> }
> --8<---------------cut here---------------end--------------->8---
>
> rules seems to be loaded entirely and works.
Thanks for this reproducer. Proposed fix:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231122210106.183932-1-pablo@xxxxxxxxxxxxx/
