bugzilla-daemon at netfilter.org
2020-Jan-06 19:47 UTC
[Bug 1395] New: Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Bug ID: 1395
Summary: Add element fails with Error: Could not process rule:
Invalid argument
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sbezverk at cisco.com
Here is defined vmap:
table ip ipv4table {
map no-endpoints-services {
type inet_proto . ipv4_addr . inet_service : verdict
}
When I try to add an element to the vmap I get an error:
```
sudo nft --debug all add element ipv4table no-endpoints-services { tcp .
192.168.80.104 . 8989 : goto do_reject }
Error: Could not process rule: Invalid argument
add element ipv4table no-endpoints-services { tcp . 192.168.80.104 . 8989 :
goto do_reject }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
```
nft -version
nftables v0.9.3 (Topsy)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200106/e72e11a0/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-07 14:35 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Serguei Bezverkhi <sbezverk at cisco.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sbezverk at cisco.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200107/60b80937/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-09 16:32 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Serguei Bezverkhi <sbezverk at cisco.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
--- Comment #1 from Serguei Bezverkhi <sbezverk at cisco.com> ---
Tried with the latest kernel, see the same issue
Linux dev-ubuntu-1 5.4.10-050410-generic #202001091038 SMP Thu Jan 9 10:41:11
UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200109/7acbb8f9/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 10:25 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I cannot reproduce this.
table ip ipv4table {
chain do_reject {
}
map no-endpoints-services {
type inet_proto . ipv4_addr . inet_service : verdict
}
}
Then I follow up with:
nft add element ipv4table no-endpoints-services { tcp . 192.168.80.104 . 8989 :
goto do_reject }
and it works fine.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/bd404868/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 10:37 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395 --- Comment #3 from Phil Sutter <phil at nwl.cc> --- Same here, works fine with (more or less) recent nf kernel. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/2039b2ab/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 12:57 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395 --- Comment #4 from Serguei Bezverkhi <sbezverk at cisco.com> --- I do not know what to say, the same set of commands does not work on my side. I tried on both 5.3.0 and 5.4.10 kernels. I get the same error from the netlink when I use API to talk directly to netlink. Any debug I could enable to see why it fails in my case? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/93965596/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 13:21 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |NEW
--- Comment #5 from Phil Sutter <phil at nwl.cc> ---
(In reply to Serguei Bezverkhi from comment #4)> I do not know what to say, the same set of commands does not work on my
> side. I tried on both 5.3.0 and 5.4.10 kernels.
> I get the same error from the netlink when I use API to talk directly to
> netlink.
>
> Any debug I could enable to see why it fails in my case?
It also works for me on Gentoo's 5.4.3 kernel. Maybe compare netlink debug
output:
# nft --debug=netlink add element ipv4table no-endpoints-services '{ tcp .
192.168.80.104 . 8989 : goto do_reject }'
no-endpoints-services ipv4table 0
element 00000006 6850a8c0 00001d23 : 0 [end]
Did you try using a number instead of 'tcp'? Does it work with a more
simple
key instead of the three concatenated types?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/dc732570/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 15:40 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395 --- Comment #6 from Serguei Bezverkhi <sbezverk at cisco.com> --- Please close it, the api library was not aligning the size of each element to 4 bytes border, but only the total size. I changed the behavior and now I can add element to the set. Thank you very much for your help. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/e9009ab5/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 16:47 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #7 from Phil Sutter <phil at nwl.cc> ---
(In reply to Serguei Bezverkhi from comment #6)> Please close it, the api library was not aligning the size of each element
> to 4 bytes border, but only the total size. I changed the behavior and now
I
> can add element to the set.
> Thank you very much for your help.
I'm glad the problem is gone, but I wonder how you managed to reproduce it
using nft alone?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/d07060b9/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jan-10 17:08 UTC
[Bug 1395] Add element fails with Error: Could not process rule: Invalid argument
https://bugzilla.netfilter.org/show_bug.cgi?id=1395 --- Comment #8 from Serguei Bezverkhi <sbezverk at cisco.com> --- That is what got me really confused. It turned out that when set gets created, there is no check for alignment of concat elements and what is more surprising, nft list was showing set properly with 3 concat elements. The issue of elements alignment became visible only when I tried to add elements to the set. The set was created with in my go code, but tests with adding elements were done with nft cli tool. Visually set created by nft and my go code were identical which added lots of confusion. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/8fff7a52/attachment.html>
Possibly Parallel Threads
- [Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2
- [Bug 1405] New: Possible a bug in n libnftables deserializer. [invalid type]
- [Bug 1324] New: with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
- [Bug 1344] New: Segmentation fault in nft add rule ip ipv4table ipv4chain-1 tcp sport { 12345-54321 }
- [Bug 1142] New: invalid binop operation 6nft