bugzilla-daemon at netfilter.org
2023-Jul-09 09:44 UTC
[Bug 1650] fail to add missing element to nft sets after running some time - file exists
https://bugzilla.netfilter.org/show_bug.cgi?id=1650 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Hi, (In reply to Wang Jian from comment #3)> The issue still exists on new debian testing kernel 6.3.0-1-amd64 base on > linux kernel version 6.3.7-1 > > # last reboot > reboot system boot 6.3.0-1-amd64 Thu Jun 29 02:14 still running > reboot system boot 6.1.0-7-amd64 Tue Apr 4 09:31 - 02:14 (85+16:42) > > # grep Could /var/log/dnsmasq/dnsmasq-20230629.log > 2023-06-29T08:34:56.679638+08:00 nftset inet mangle TUNNELv6 > internal:0:0-0: Error: Could not process rule: File existsThis internal:0:0-0 is incorrect error reporting. Could you run nftables with git HEAD? It contains this fix: commit 5e39a34b196d68b803911aa13066fef2f83dc98c Author: Pablo Neira Ayuso <pablo at netfilter.org> Date: Mon Mar 27 16:36:31 2023 +0200 intervals: use expression location when translating to intervals Otherwise, internal location reports: # nft -f ruleset.nft internal:0:0-0: Error: Could not process rule: File exists after this patch: # nft -f ruleset.nft ruleset.nft:402:1-16: Error: Could not process rule: File exists 1.2.3.0/30, ^^^^^^^^^^^ it fixes error reporting, so at least it is possible to know what element already exists. This will be included in the next release (1.0.8). Once error reporting is fixed, next step would be to validate whether EEXIST is legitimate or bogus, via listing the set to check for overlaps, you could also use 'get element' command. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230709/b05d6502/attachment.html>