bugzilla-daemon at netfilter.org
2020-Aug-20 04:16 UTC
[Bug 1451] New: nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
Bug ID: 1451
Summary: nft add element fails when preceded by nft get element
or nft delete element commands
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: blocker
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: oliver at urbanotter.com
CC: kfm at plushkava.net
Hello,
Running on Ubuntu 20.04 with kernel 5.8.1 and nftable 0.9.6.
I've come across some odd behaviour while scripting nft commands. The script
updates nftables sets with ipv4 or ipv6 addresses in a loop. The sets have the
timeout flag set.
When I use a straight 'nft add element inet filter "$SET" {
$j" }' command in a
for loop, each item ($j) is added to a set ($SET). If an element already
exists, I get the expected error: Error: Could not process rule: File exists.
That's fine. It's expected. This is not the problem. Any element that
doesn't
exist in the set does get properly added 100% of the time.
I recently updated the script to include a 'nft get element inet filter
"$SET"
{ "$j" }' command prior to the nft add command. If the element
exists, no error
appears and subsequent commands run correctly. If the element does not exist, I
get the expected error: Error: Could not process rule: No such file or
directory. That's also fine and expected and this is also not the problem.
The problem occurs when I run the nft get command, receive the error that the
element DOES NOT exist, then run the nft add command. In this scenario, I get
the following error off the nft add command which IS NOT expected: Error: Could
not process rule: File exists.
Here's an eval debug output of one such sequence IN REVERSE ORDER starting
at
te bottom (comes from journalctl -r):
Aug 20 03:28:48 lab-migw bash[2759658]: ATTEMPTED ADD OPERATION BELOW - add
54.175.52.184 to report_cb_4
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Error: Could not process rule: File
exists
Aug 20 03:28:48 lab-migw bash[2760837]: 54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate value
Aug 20 03:28:48 lab-migw bash[2760837]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate symbol
Aug 20 03:28:48 lab-migw bash[2760837]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate set element
Aug 20 03:28:48 lab-migw bash[2760837]: { $54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate set
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate add
Aug 20 03:28:48 lab-migw bash[2759658]: ATTEMPTED GET OPERATION BELOW - get
54.175.52.184 from report_cb_4
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Error: Could not process rule: No such
file or directory
Aug 20 03:28:48 lab-migw bash[2760836]: 54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate value
Aug 20 03:28:48 lab-migw bash[2760836]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate symbol
Aug 20 03:28:48 lab-migw bash[2760836]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate set element
Aug 20 03:28:48 lab-migw bash[2760836]: { $54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate set
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate get
Code to reproduce quickly is here:
IFS=' ' read -ra TEMP <<< "$RAW_RESULTS"
for j in ${TEMP[*]}; do
nft -d eval get element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED GET OPERATION - get $j from
$SET"
nft -d eval add element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED ADD OPERATION - add $j to
$SET"
done
where $RAW_RESULTS is just a string of ipv4 or ipv6 addresses separated by a
single blank space (which I've verified is only a single blank space).
I've believe I've also seen this behaviour where an 'nft delete
element inet
filter "$SET" { "$j" }' command is used in place of the
nft get command.
This is a blocker for me right now as I need to be able to update these sets so
the timers reset when there's an update. To do this, I:
1) nft get (to confirm if the element exists)
2) nft delete (if the element exists)
3) nft add (after a delete or if the element does not exist)
I'm presently getting the above errors each time an element DOES NOT exist
or
in some situations where an nft delete is performed (I don't have logs for
that
one right now). As such, my sets are not only not updating but they are losing
elements because the elements get deleted and not replaced! Some sets have 100
or more elements, some only have 1.
Any help would be appreciated.
Regards,
Oliver
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200820/5e001d73/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-20 15:07 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #1 from Oliver O'Boyle <oliver at urbanotter.com> --- Some other interesting bits of information that may help: 1) If I include a second nft add attempt after a 30 second delay, this second attempt also fails with the same error. 2) If the nft get is successful, the nft add is successful, as I mentioned earlier. However, if I apply the same second nft add after a 30 second delay, I do not receive ANY error at all indicating the record already exists. Even though the first nft add was successfully able to install the element in the set and the element exists. There's definitely a bug here. Oliver -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200820/066930ff/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-20 15:19 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
--- Comment #2 from Oliver O'Boyle <oliver at urbanotter.com> ---
And just to close the loop, if I insert a nft delete command in between the nft
get and nft add commands, I get an error saying the element doesn't exist
but
then the nft add still fails. Logs below (IN REVERSE ORDER, bottom up):
Aug 20 15:16:14 lab-migw bash[861945]: ATTEMPTED ADD OPERATION #1 BELOW - add
13.225.226.203 to report_cb_4
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Error: Could not process rule: File
exists
Aug 20 15:16:14 lab-migw bash[863800]: 13.225.226.203
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Evaluate value
Aug 20 15:16:14 lab-migw bash[863800]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Evaluate symbol
Aug 20 15:16:14 lab-migw bash[863800]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Evaluate set element
Aug 20 15:16:14 lab-migw bash[863800]: { $13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Evaluate set
Aug 20 15:16:14 lab-migw bash[863800]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863800]: add element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863800]: Evaluate add
Aug 20 15:16:14 lab-migw bash[861945]: ATTEMPTED DEL OPERATION #1 BELOW - get
13.225.226.203 from report_cb_4
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Error: Could not process rule: No such
file or directory
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Error: interval not found in set
Aug 20 15:16:14 lab-migw bash[863799]: 13.225.226.203
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Evaluate value
Aug 20 15:16:14 lab-migw bash[863799]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Evaluate symbol
Aug 20 15:16:14 lab-migw bash[863799]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Evaluate set element
Aug 20 15:16:14 lab-migw bash[863799]: { $13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Evaluate set
Aug 20 15:16:14 lab-migw bash[863799]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863799]: delete element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863799]: Evaluate delete
Aug 20 15:16:14 lab-migw bash[861945]: ATTEMPTED GET OPERATION #1 BELOW - get
13.225.226.203 from report_cb_4
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Error: Could not process rule: No such
file or directory
Aug 20 15:16:14 lab-migw bash[863798]: 13.225.226.203
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Evaluate value
Aug 20 15:16:14 lab-migw bash[863798]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Evaluate symbol
Aug 20 15:16:14 lab-migw bash[863798]: $13.225.226.203
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Evaluate set element
Aug 20 15:16:14 lab-migw bash[863798]: { $13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Evaluate set
Aug 20 15:16:14 lab-migw bash[863798]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 15:16:14 lab-migw bash[863798]: get element inet filter report_cb_4 {
13.225.226.203 }
Aug 20 15:16:14 lab-migw bash[863798]: Evaluate get
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200820/27d462ff/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-20 15:42 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
--- Comment #3 from Oliver O'Boyle <oliver at urbanotter.com> ---
And I tried to add multiple elements in the same nft add executed after an nft
get command command but that also fails if one of those elements is not in the
set. E.g.: { 20.36.222.39,13.86.124.174,20.185.109.208 }. But If I run the nft
add command on its own without the nft get command before it, the nft add
command processes correctly.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200820/d464f22b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-23 21:17 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.netfilter.
| |org/show_bug.cgi?id=1392
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200823/1a974da5/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 02:09 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #4 from kfm at plushkava.net --- I tried to reproduce the issue with nftables-0.9.6, libnftnl-1.1.7 and Linux 5.7.17 but haven't been able to do so far. I tested with a set whose declaration consists of only "type ipv4_addr". I then generated 1000 random IPv4 addresses and wrote a tiny script to add them, one per invocation of nft, as you do. Curiously, I'm finding that adding an element that already exists elicits no error, a phenonmenon also mentioned in the linked bug. Preceding the command that adds with one that gets doesn't adversely affect the process either. Does your set declaration contain anything other than the type? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/4008a7c9/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 02:10 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #5 from kfm at plushkava.net --- s/do so far/do so, so far/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/46bff04c/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 02:15 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #6 from kfm at plushkava.net --- Sorry, I missed the part about the timeout flag being present on the first reading. Still, I can't reproduce the issue. If you have any thoughts as to how to better mimic your setup, I would welcome them. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/0a2afc1d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 11:30 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> --- Could you give a try to this kernel patch? https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=226a88de473e475cb9f993682a1c7d0c2b451ad8 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/eb04495d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 15:04 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #8 from Oliver O'Boyle <oliver at urbanotter.com> --- Thanks for looking into this. When I was running on 0.9.3, I also didn't see errors even though the elements existed in the sets. They only started appearing after I went to 0.9.6 and the 5.8.1 kernel. But I think this was still happening under the hood. libnftables1:amd64 0.9.6-1 libnftnl11:amd64 1.1.7-1 nftables 0.9.6-1 kernel 5.8.1-050801-generic Will look at that kernel patch. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/20592742/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 05:26 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
--- Comment #9 from Oliver O'Boyle <oliver at urbanotter.com> ---
Ok, I'm now getting the same results as you mention in comment 4. I tried
for
hours to reproduce it as per the logs below, but can't. I'm thinking
that I may
have been using a more complex set of instructions that included a
'delete'
command in there when I grabbed the logs. I simplified it after to what I
posted in this bug, however. I say that because I can reproduce the error when
I insert a 'delete' in between the 'get' and 'add'.
This is what I'm using now, and it generates errors on the 'add':
IFS=' ' read -ra TEMP <<< "$RAW_RESULTS"
for j in ${TEMP[*]}; do
nft get element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED GET OPERATION #1 - get $j from
$SET"
nft delete element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED DEL OPERATION #1 - del $j from
$SET"
nft -d eval add element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED ADD OPERATION #1 - add $j to
$SET"
done
Here's a sample set config. They're all the same:
set report_cb_4 {
type ipv4_addr
flags interval,timeout
timeout 1d
elements = { 127.0.0.1 }
}
If you take out the debug command from the 'add', it's easier to
follow the
logs. I'm seeing inconsistencies. Sometimes it works, sometimes it
doesn't. In
the logs following (in reverse order), you can see the three commands from the
first IP all succeed. In the second IP, the 'add' fails. I can't see
any
difference between the two, other than the IP address. And eventually, the one
that failed will usually successfully add its address to the set:
Aug 25 05:21:31 lab-migw bash[255612]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 25 05:21:31 lab-migw bash[255612]: add element inet filter report_r7_4 {
15.223.60.214 }
Aug 25 05:21:31 lab-migw bash[255612]: Error: Could not process rule: File
exists
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED DEL OPERATION #1 - del
15.223.60.214 from report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED GET OPERATION #1 - get
15.223.60.214 from report_r7_4
Aug 25 05:21:31 lab-migw bash[255610]: }
Aug 25 05:21:31 lab-migw bash[255610]: }
Aug 25 05:21:31 lab-migw bash[255610]: elements = {
15.223.60.214 expires 23h59m32s604ms }
Aug 25 05:21:31 lab-migw bash[255610]: timeout 1d
Aug 25 05:21:31 lab-migw bash[255610]: flags interval,timeout
Aug 25 05:21:31 lab-migw bash[255610]: type ipv4_addr
Aug 25 05:21:31 lab-migw bash[255610]: set report_r7_4 {
Aug 25 05:21:31 lab-migw bash[255610]: table inet filter {
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED ADD OPERATION #1 - add
3.96.72.62 to report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED DEL OPERATION #1 - del
3.96.72.62 from report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED GET OPERATION #1 - get
3.96.72.62 from report_r7_4
Aug 25 05:21:31 lab-migw bash[255607]: }
Aug 25 05:21:31 lab-migw bash[255607]: }
Aug 25 05:21:31 lab-migw bash[255607]: elements = { 3.96.72.62
expires 23h59m32s600ms }
Aug 25 05:21:31 lab-migw bash[255607]: timeout 1d
Aug 25 05:21:31 lab-migw bash[255607]: flags interval,timeout
Aug 25 05:21:31 lab-migw bash[255607]: type ipv4_addr
Aug 25 05:21:31 lab-migw bash[255607]: set report_r7_4 {
Aug 25 05:21:31 lab-migw bash[255607]: table inet filter {
I was going to try the kernel patch today but got pulled away. I should be able
to get to it tomorrow.
Oliver
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/6aede4ad/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 05:36 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #10 from Oliver O'Boyle <oliver at urbanotter.com> --- RE Comment 6: I have a few other things installed on the device, but I removed some of them. The only think that's big but that I can't remove is frrouting (7.3.1-1). I thought it was perhaps an apparmor issue but I moved the related profiles into complain mode and stopped the apparmor service. No difference. The device is using vrrp and set up to use macvlan devices to support that (via frr). The nics are in promiscuous mode as a result. It seems to be working fine and I can't see how that would cause the issues we're seeing. I removed iptables entirely. I can't see anything else installed on the system that might cause an issue. It's pretty basic. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/ef9d84db/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 05:52 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #11 from kfm at plushkava.net --- After creating a set similar to yours and adding a "delete element" command, it blew up on the 11th iteration. As luck would have it, one of my other hosts had already been rebooted with the patch that Pablo mentioned applied, so I tested there and found that the patch appears to resolve the issue. For the record, I'm still running 5.7.17, only with the addition of the following patches. netfilter-nft_set_rbtree-handle-outcomes-of-tree-rotations-in-overlap-detection.patch netfilter-nft_set_rbtree_detect-partial-overlap-with-start-endpoint-match.patch netfilter-nf_tables-fix-destination-register-zeroing.patch -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/3058a366/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 05:57 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #12 from Oliver O'Boyle <oliver at urbanotter.com> --- Wonderful! Thanks for testing that. Did you use the patch command to apply the patch or did you recompile your own kernel with the patch changes in it? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/89b08485/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 06:09 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #13 from kfm at plushkava.net --- (In reply to Oliver O'Boyle from comment #12)> Wonderful! Thanks for testing that. > > Did you use the patch command to apply the patch or did you recompile your > own kernel with the patch changes in it?These systems run Gentoo and I always build my own kernels. In fact, I integrated the patch into my personal "hardened-sources" package, meaning that the patch was applied by the portage package manager. Were it not the case that I maintained such a package, I would have just dropped into the /usr/src/linux directory and applied the patch by hand. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/9ae8ecb4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-25 12:42 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #14 from Oliver O'Boyle <oliver at urbanotter.com> --- Thanks. I was going to build a .deb package as well. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/ead917a4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 00:18 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1461
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/6672195e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 10:29 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #15 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to kfm from comment #11)> After creating a set similar to yours and adding a "delete
element" command,
> it blew up on the 11th iteration. As luck would have it, one of my other
> hosts had already been rebooted with the patch that Pablo mentioned
applied,
> so I tested there and found that the patch appears to resolve the issue.
>
> For the record, I'm still running 5.7.17, only with the addition of the
> following patches.
>
> netfilter-nft_set_rbtree-handle-outcomes-of-tree-rotations-in-overlap-
> detection.patch
> netfilter-nft_set_rbtree_detect-partial-overlap-with-start-endpoint-match.
> patch
> netfilter-nf_tables-fix-destination-register-zeroing.patch
Thanks for confirming these patches fix the issue.
Closing this ticket.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/5dccde84/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 14:35 UTC
[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1451 --- Comment #16 from Oliver O'Boyle <oliver at urbanotter.com> --- My apologies for the delay in getting back here, I got pulled away on another project. I can confirm that this is also working for me now with a self-compiled 5.8.10 kernel that already had your patch included in it. I no longer see any errors and the sets seem to get their elements deleted and re-added without issue. Thanks for the help! Oliver -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/eb25115e/attachment.html>