netfilter buglog - May 2016 - [Bug 1071] New: nftables: set does not work within inet table with option flags interval

https://bugzilla.netfilter.org/show_bug.cgi?id=1071

            Bug ID: 1071
           Summary: nftables: set does not work within inet table with
                    option flags interval
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: jason.lee.campbell at gmail.com

I'm using nftables to combine my IPv4 and IPv6 into one ruleset, so using a
single inet table. This allows for single line edits, such as when I want to
enable ssh in, instead of editing two separate entries. I imagine separating
the rules would work, but defeats the purpose of allowing only a single line
edit.

I'm to the point that I want to import my text file of blocked IP subnets,
so
tried using set within an inet table. To allow subnets, the option flags
interval appears to be required. However, when I check the rules (nft -n -f
firewall.rules) with flags interval, I receive Operation not permitted. Without
the flags interval option, the rule check works, but then unable to add subnets
to the set.

I have run strace on the rule check, and here's the difference I have found.
The last line given in each example differ, where rule check working is
127.0.0.1 and rule check not working is ::ffff:127.0.0.1.

I am using the following versions, compiled today (5/31).

libnftnl-1.0.6-x86_64-1
nftables-e049f92bb7b98dfa218eda2b9b6f14506238abf2-x86_64-1


Without flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6,
"::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(45890), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC,
sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38754), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0


With flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6,
"::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(53024), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC,
sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38635), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/130e674d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1071

--- Comment #1 from JLC <jason.lee.campbell at gmail.com> ---
Sorry, the pasted strace results do not differ. I was comparing the wrong
lines. Starting at that point, they differ.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/4f935fdd/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1071

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please, give a try to 4.7-rc1 and nft 0.6.

We have resolved issues with prefixes and named sets in these two releases.

Will be passing Linux kernel patches for -stable branches so this propagates
backward.

Thanks.

*** This bug has been marked as a duplicate of bug 1009 ***

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/d769f833/attachment.html>