bugzilla-daemon at netfilter.org
2023-Jul-31 10:04 UTC
[Bug 1697] New: Errors when running "nft -o" optimizer due to "counter return"
https://bugzilla.netfilter.org/show_bug.cgi?id=1697 Bug ID: 1697 Summary: Errors when running "nft -o" optimizer due to "counter return" Product: nftables Version: 1.0.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: apachez at gmail.com Created attachment 720 --> https://bugzilla.netfilter.org/attachment.cgi?id=720&action=edit Ruleset that triggers the error in nft optimizer It turns out that nft optimizer (nft -o) will produce errors such as: # internal:0:0-0: Error: Could not process rule: File exists The above turned out to be due to that chains looked like this: chain VZONE_wg8 { iifname "wg8" counter return iifname "eth1" counter jump NAME_lan-wg8 iifname "eth1" counter return iifname "eth3" counter jump NAME_mullvadgb-wg8 iifname "eth3" counter return iifname "eth2" counter jump NAME_mullvadus-wg8 iifname "eth2" counter return iifname "eth0" counter jump NAME_wan-wg8 iifname "eth0" counter return iifname "wg0" counter jump NAME_wg0-wg8 iifname "wg0" counter return iifname "wg1" counter jump NAME_wg1-wg8 iifname "wg1" counter return iifname "wg7" counter jump NAME_wg7-wg8 iifname "wg7" counter return counter drop comment "zone_wg8 default-action drop" } where the workaround was to adjust the "counter return" into just "return" like so (however the first "counter return" was accepted by the nft optimizer?): chain VZONE_wg8 { iifname "wg8" counter return iifname "eth1" counter jump NAME_lan-wg8 iifname "eth1" return iifname "eth3" counter jump NAME_mullvadgb-wg8 iifname "eth3" return iifname "eth2" counter jump NAME_mullvadus-wg8 iifname "eth2" return iifname "eth0" counter jump NAME_wan-wg8 iifname "eth0" return iifname "wg0" counter jump NAME_wg0-wg8 iifname "wg0" return iifname "wg1" counter jump NAME_wg1-wg8 iifname "wg1" return iifname "wg7" counter jump NAME_wg7-wg8 iifname "wg7" return counter drop comment "zone_wg8 default-action drop" } With above workaround nft optimizer (nft -o) accepted the backup-file (it already had "flush ruleset" added to the first line): # nft -c -o -f /path/backup.nft The system is a VyOS 1.4-rolling release (particular box used VyOS 1.4-rolling-202307250317) which is based on Debian 12.1 (bookworm). Package installed: nftables 1.0.6-2+deb12u1. Output of "nft -V": nftables v1.0.6 (Lester Gooch #5) cli: editline json: yes minigmp: no libxtables: yes Using kernel: Linux vyos 6.1.40-amd64-vyos #1 SMP PREEMPT_DYNAMIC Sun Jul 23 21:10:16 UTC 2023 x86_64 GNU/Linux Discussion available at: https://forum.vyos.io/t/geoip-optimise-address-ranges/11677 Also attached "ruleset_230731.txt.gz" which triggers the error with nft optimizer. The ruleset have been created by "nft -s list ruleset" and added "flush ruleset" as the first line. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/00645300/attachment.html>
bugzilla-daemon at netfilter.org
2023-Jul-31 10:05 UTC
[Bug 1697] Errors when running "nft -o" optimizer due to "counter return"
https://bugzilla.netfilter.org/show_bug.cgi?id=1697 Apachez <apachez at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://forum.vyos.io/t/geo | |ip-optimise-address-ranges/ | |11677 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/53afd392/attachment.html>
bugzilla-daemon at netfilter.org
2023-Jul-31 11:25 UTC
[Bug 1697] Errors when running "nft -o" optimizer due to "counter return"
https://bugzilla.netfilter.org/show_bug.cgi?id=1697 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- One of the bugs in this ruleset is fixed here: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230731112424.69600-1-pablo at netfilter.org/ This patches fixes the strange BUG displayed in https://forum.vyos.io/t/geoip-optimise-address-ranges/11677 as: BUG: invalid input descriptor type 151665524 nft: erec.c:161: erec_print: Assertion `0' failed. Aborted -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/9c1e5af0/attachment.html>