From: Jacob Middag <jacob@gaddim.nl>
To: netfilter@vger.kernel.org
Subject: Re: Change in nft set element add syntax?
Date: Sun, 16 Apr 2023 20:40:38 +0200 [thread overview]
Message-ID: <CAHm0O6N_c65MfDbb_QXCX8EFF+yskQ6Du1NhoUkpwf8miRoS+g@mail.gmail.com> (raw)
In-Reply-To: <Yyv1RIjX0pGSbAMP@salvia>
On Thu, Sep 22, 2022 at 7:40 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> No syntax updates have been done, see below.
>
> On Thu, Sep 22, 2022 at 12:12:38PM +1000, Austin Lund wrote:
> > Hi,
> >
> > I upgraded from nft 1.0.1 to 1.0.5 and found some of the rules I have
> > gave some errors. I narrowed it down to adding to sets. It's all
> > pretty simple; the error is
> >
> > > # /usr/bin/nft -c -f /etc/nftables.conf
> > > /etc/nftables.conf:44:3-37: Error: Could not process rule: Operation not supported
> > > ip saddr @badconns goto update_drop
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > /etc/nftables.conf:64:3-28: Error: Could not process rule: Invalid argument
> > > add @badconns { ip saddr }
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
> This loads fine here.
>
> # cat test.nft
> table inet filter {
> set badconns { typeof ip saddr; timeout 1h; }
> set badconns6 { typeof ip6 saddr; timeout 1h; }
>
> chain input {
> ip saddr @badconns goto update_drop
> ip6 saddr @badconns6 goto update_drop
> }
>
> chain update_drop {
> update @badconns { ip saddr }
> update @badconns6 { ip6 saddr }
> drop
> }
> }
Hi,
I had the exact same problem and couldn't find anything except this post.
I could actually track it down to a specific commit by git bisect:
https://git.netfilter.org/nftables/commit/?id=8d443adfcc8c19effd6be9a9c903ee96e374f2e8
So it looks like setting the NFT_SET_EVAL gives the "Invalid argument" error.
If I got it correctly, this flag is equivalent to adding the dynamic
flag in the named set.
When setting it explicitly in the example with "flags dynamic",
it also breaks with the earlier commits, including version 1.0.1.
This led me to believe it is actually a problem in the kernel module,
and I found out I was using a very old kernel (4.9) without this patch:
https://lore.kernel.org/lkml/20191010083512.320042206@linuxfoundation.org/
Updating the Linux kernel to 5.15 fixed the problem for me.
Jacob
prev parent reply other threads:[~2023-04-16 18:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220922021238.donues3tuiufzbsn@sarek.home.aplund.id.au>
2022-09-22 5:40 ` Change in nft set element add syntax? Pablo Neira Ayuso
2023-04-16 18:40 ` Jacob Middag [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHm0O6N_c65MfDbb_QXCX8EFF+yskQ6Du1NhoUkpwf8miRoS+g@mail.gmail.com \
--to=jacob@gaddim.nl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).