netfilter buglog - Jul 2023 - [Bug 1697] New: Errors when running "nft -o" optimizer due to "counter return"

https://bugzilla.netfilter.org/show_bug.cgi?id=1697

            Bug ID: 1697
           Summary: Errors when running "nft -o" optimizer due to
"counter
                    return"
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: apachez at gmail.com

Created attachment 720
  --> https://bugzilla.netfilter.org/attachment.cgi?id=720&action=edit
Ruleset that triggers the error in nft optimizer

It turns out that nft optimizer (nft -o) will produce errors such as:

# internal:0:0-0: Error: Could not process rule: File exists

The above turned out to be due to that chains looked like this:

chain VZONE_wg8 {
    iifname "wg8" counter return
    iifname "eth1" counter jump NAME_lan-wg8
    iifname "eth1" counter return
    iifname "eth3" counter jump NAME_mullvadgb-wg8
    iifname "eth3" counter return
    iifname "eth2" counter jump NAME_mullvadus-wg8
    iifname "eth2" counter return
    iifname "eth0" counter jump NAME_wan-wg8
    iifname "eth0" counter return
    iifname "wg0" counter jump NAME_wg0-wg8
    iifname "wg0" counter return
    iifname "wg1" counter jump NAME_wg1-wg8
    iifname "wg1" counter return
    iifname "wg7" counter jump NAME_wg7-wg8
    iifname "wg7" counter return
    counter drop comment "zone_wg8 default-action drop"
}

where the workaround was to adjust the "counter return" into just
"return" like
so (however the first "counter return" was accepted by the nft
optimizer?):

chain VZONE_wg8 {
    iifname "wg8" counter return
    iifname "eth1" counter jump NAME_lan-wg8
    iifname "eth1" return
    iifname "eth3" counter jump NAME_mullvadgb-wg8
    iifname "eth3" return
    iifname "eth2" counter jump NAME_mullvadus-wg8
    iifname "eth2" return
    iifname "eth0" counter jump NAME_wan-wg8
    iifname "eth0" return
    iifname "wg0" counter jump NAME_wg0-wg8
    iifname "wg0" return
    iifname "wg1" counter jump NAME_wg1-wg8
    iifname "wg1" return
    iifname "wg7" counter jump NAME_wg7-wg8
    iifname "wg7" return
    counter drop comment "zone_wg8 default-action drop"
}

With above workaround nft optimizer (nft -o) accepted the backup-file (it
already had "flush ruleset" added to the first line):

# nft -c -o -f /path/backup.nft

The system is a VyOS 1.4-rolling release (particular box used VyOS
1.4-rolling-202307250317) which is based on Debian 12.1 (bookworm).

Package installed: nftables 1.0.6-2+deb12u1.

Output of "nft -V":

nftables v1.0.6 (Lester Gooch #5)
  cli:        editline
  json:        yes
  minigmp:    no
  libxtables:    yes

Using kernel:

Linux vyos 6.1.40-amd64-vyos #1 SMP PREEMPT_DYNAMIC Sun Jul 23 21:10:16 UTC
2023 x86_64 GNU/Linux

Discussion available at:
https://forum.vyos.io/t/geoip-optimise-address-ranges/11677

Also attached "ruleset_230731.txt.gz" which triggers the error with
nft
optimizer.

The ruleset have been created by "nft -s list ruleset" and added
"flush
ruleset" as the first line.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/00645300/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1697

Apachez <apachez at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |https://forum.vyos.io/t/geo
                   |                            |ip-optimise-address-ranges/
                   |                            |11677

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/53afd392/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1697

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
One of the bugs in this ruleset is fixed here:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230731112424.69600-1-pablo
at netfilter.org/

This patches fixes the strange BUG displayed in 
https://forum.vyos.io/t/geoip-optimise-address-ranges/11677
as:

BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/9c1e5af0/attachment.html>