bugzilla-daemon at netfilter.org
2020-May-27 12:55 UTC
[Bug 1431] New: flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
Bug ID: 1431
Summary: flush set doesn't work as expected in script
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: jimmyz.z at gmail.com
# nft list ruleset
table ip potato {
set potato {
type ipv4_addr
flags interval
elements = { 0.0.0.0-255.255.255.255 }
}
}
# cat b.nft
flush set ip potato potato;
add element ip potato potato {
10.0.0.0/8
}
# nft -f b.nft
b.nft:3:9-18: Error: interval overlaps with an existing one
10.0.0.0/8
^^^^^^^^^^
b.nft:2:1-2: Error: Could not process rule: Success
add element ip potato potato {
^^
# nft flush set ip potato potato
# nft -f b.nft
# nft list ruleset
table ip potato {
set potato {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8 }
}
}
I think the example will do a better job explaining than my English.
This was tested on Debian Buster with kernel 4.19 and nft 0.9.0, and Arch with
kernel 5.4 and nft 0.9.4.
An alternative approach to delete set - add set instead of flush set - add
elements will work, so this is not a usability issue, but I think a bug is a
bug.
Thank you for your time.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200527/3872c9c7/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 23:27 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
Timo Sigurdsson <public_timo.s at silentcreek.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |public_timo.s at silentcreek.d
| |e
--- Comment #1 from Timo Sigurdsson <public_timo.s at silentcreek.de> ---
I can confirm this is an issue. And it's actually more than just a usability
issue, it is a bug because it breaks atomicity when trying to update/reload a
set.
My test case is very simple. Assume the following set:
`nft add set inet filter testset { type ipv4_addr; flags interval; }'
Now create a script file a.nft with the following content:
flush set inet filter testset
add element inet filter testset { 192.168.0.0/16 }
Load the file with `nft -f a.nft' and it will work just fine.
Now create a second script file b.nft with the following content:
flush set inet filter testset
add element inet filter testset { 192.168.0.0/16, 172.16.0.0/12 }
Load the new file with `nft -f b.nft' and it will also just be fine.
But now take this example c.nft:
flush set inet filter testset
add element inet filter testset { 192.168.0.0/24, 172.16.0.0/12 }
Trying to run `nft -f c.nft' will result in the error:
Interval overlaps with an existing one
Summing up: While you can reload an existing set if it's unchanged, or with
added or removed elements, you cannot reload a set where the extent of an
interval is changed!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/8b907fe7/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 23:28 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #2 from Timo Sigurdsson <public_timo.s at silentcreek.de> --- Oh, and one more thing. This also happens on Ubuntu 20.04 with a more recent nft version 0.9.3. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/99ad7eb1/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-14 03:22 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #3 from James Zeng <jimmyz.z at gmail.com> --- My previous comment about the alternative approach to delete set - add set is inaccurate, it works in this kind of test but not in real world applications, since if the set is referenced by any rule, nft will not allow you to delete it. The only workaround is flush ruleset and reload all. I don't think this breaks atomicity though, since in the failing case, the set is left in previous state, not a intermittent state. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200714/bcff7131/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-14 08:16 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #4 from Timo Sigurdsson <public_timo.s at silentcreek.de> --- (In reply to James Zeng from comment #3)> My previous comment about the alternative approach to delete set - add set > is inaccurate, it works in this kind of test but not in real world > applications, since if the set is referenced by any rule, nft will not allow > you to delete it. > > The only workaround is flush ruleset and reload all. > > I don't think this breaks atomicity though, since in the failing case, the > set is left in previous state, not a intermittent state.Sorry, I should have been clearer on this. What i meant is that you can flush the set before loading your script file and that will work. You don't have to delete the set entirely. So, in your case: # nft flush set ip potato potato followed by # nft -f b.nft should work just fine, regardless of overlapping intervals. But that obviously breaks atomicity, because for a short moment, your set will be empty. Another workaround, as you pointed out, is to reload the entire ruleset which includes the set. That may be an atomic operation but it has other disadvantages depending on your rules. It will e.g. reset all counters and other stateful objects such as dynamically populated sets. Depending on your setup, you may not want that (I have a use case where reloading the entire ruleset isn't a good option). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200714/d035138e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-14 13:28 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200714/23a436e6/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-29 22:00 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to James Zeng from comment #0)> # nft list ruleset
> table ip potato {
> set potato {
> type ipv4_addr
> flags interval
> elements = { 0.0.0.0-255.255.255.255 }
> }
> }
>
> # cat b.nft
> flush set ip potato potato;
> add element ip potato potato {
> 10.0.0.0/8
> }
>
> # nft -f b.nft
> b.nft:3:9-18: Error: interval overlaps with an existing one
> 10.0.0.0/8
> ^^^^^^^^^^
Upstream fix is available in git.
http://git.netfilter.org/nftables/commit/?id=40ef308e19b6db02017a8a650406b0c6d37be750
Thanks for reporting.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200729/a6ad6ef7/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 00:02 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #6 from Timo Sigurdsson <public_timo.s at silentcreek.de> --- (In reply to Pablo Neira Ayuso from comment #5)> (In reply to James Zeng from comment #0) > > # nft list ruleset > > table ip potato { > > set potato { > > type ipv4_addr > > flags interval > > elements = { 0.0.0.0-255.255.255.255 } > > } > > } > > > > # cat b.nft > > flush set ip potato potato; > > add element ip potato potato { > > 10.0.0.0/8 > > } > > > > # nft -f b.nft > > b.nft:3:9-18: Error: interval overlaps with an existing one > > 10.0.0.0/8 > > ^^^^^^^^^^ > > Upstream fix is available in git. > > http://git.netfilter.org/nftables/commit/ > ?id=40ef308e19b6db02017a8a650406b0c6d37be750 > > Thanks for reporting.Hi Pablo, I tried this and it didn't work. Both James' and my testcases continue to fail with the suggested fix. As mentions in my other bug, I tried this on Ubuntu 20.04 and built nftables and libnftnl from source (at commits 7c9bef0 and 330ca1c respectively) and nft now identifies as: nftables v0.9.6 (Capital Idea #2). Thanks and regards, Timo -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/79e3f8cf/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 02:43 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Using James' test case, this works for me with 7c9bef0c0312
# cat potato.nft
table ip potato {
set potato {
type ipv4_addr
flags interval
elements = { 0.0.0.0-255.255.255.255 }
}
}
# nft -f potato.nft
# cat b.nft
flush set ip potato potato;
add element ip potato potato {
10.0.0.0/8
}
# nft -f b.nft
# nft list ruleset
table ip potato {
set potato {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8 }
}
}
Are you sure you're running a fresh nft binary compiled from sources?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/f5a9af31/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 18:58 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #8 from Timo Sigurdsson <public_timo.s at silentcreek.de> --- (In reply to Pablo Neira Ayuso from comment #7)> Using James' test case, this works for me with 7c9bef0c0312[...]> Are you sure you're running a fresh nft binary compiled from sources?I thought I was since Ubuntu 20.04 ships nftables 0.9.3 and nft -v returned 0.9.6. But I have removed all related packages and installed the binaries built from source again, and now it works. Maybe the new nft binary was still using old libraries? I don't know. But in any case: Your fix works, so, sorry for the noise. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/eb19c372/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 19:10 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #9 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Timo Sigurdsson from comment #8)> (In reply to Pablo Neira Ayuso from comment #7)
> > Using James' test case, this works for me with 7c9bef0c0312
> [...]
> > Are you sure you're running a fresh nft binary compiled from
sources?
>
> I thought I was since Ubuntu 20.04 ships nftables 0.9.3 and nft -v returned
> 0.9.6. But I have removed all related packages and installed the binaries
> built from source again, and now it works. Maybe the new nft binary was
> still using old libraries? I don't know. But in any case: Your fix
works,
> so, sorry for the noise.
Yes, most likely finding the old library in first place, just check with ldd
next time to make sure you use the fresh library.
Thank you for confirming this works for you, closing this ticket.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/7868e77b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 19:12 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pc at hillside.co.uk
--- Comment #10 from Pablo Neira Ayuso <pablo at netfilter.org> ---
*** Bug 1404 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/59e5f283/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-30 19:17 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.netfilter.
| |org/show_bug.cgi?id=1392
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/e25567ae/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-26 06:47 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #11 from pc at hillside.co.uk --- Has this fix been included in the 0.9.6 release of nft? If so then I am still getting the same problems -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/cc9248a4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-26 06:55 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #12 from kfm at plushkava.net --- (In reply to pc from comment #11)> Has this fix been included in the 0.9.6 release of nft?No. The commit containing the fix post-dates the one bearing the "v0.9.6" tag. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/385921b6/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-26 06:56 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #13 from pc at hillside.co.uk --- Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/b15bddda/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-26 06:58 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #14 from pc at hillside.co.uk --- Thanks. My nftables firewall builder https://github.com/pcollinson/nftfw will work better when this is fixed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/5f4b35c4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-26 06:59 UTC
[Bug 1431] flush set doesn't work as expected in script
https://bugzilla.netfilter.org/show_bug.cgi?id=1431 --- Comment #15 from pc at hillside.co.uk --- Thanks. My nftables firewall builder https://github.com/pcollinson/nftfw will work better when this is fixed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/128515f5/attachment.html>
Apparently Analagous Threads
- [Bug 1404] New: Problems with dynamically managing interval sets with auto-merge
- [Bug 1439] New: Atomically updating/reloading a large set with nft -f is excessively slow
- [Bug 1392] New: nft stalls on EGAIN upon repeatedly flushing and populating a set
- [Bug 1438] New: nft generates wrong intervals for sets with auto-merge
- debian Woody upgrade hurt my wine..., not sure of the new config