bugzilla-daemon at netfilter.org
2023-Jul-21 19:07 UTC
[Bug 1650] fail to add missing element to nft sets after running some time - file exists
https://bugzilla.netfilter.org/show_bug.cgi?id=1650 --- Comment #5 from Wang Jian <larkwang at gmail.com> ---> > This internal:0:0-0 is incorrect error reporting. > > Could you run nftables with git HEAD? It contains this fix: > > commit 5e39a34b196d68b803911aa13066fef2f83dc98c > Author: Pablo Neira Ayuso <pablo at netfilter.org> > Date: Mon Mar 27 16:36:31 2023 +0200 > > intervals: use expression location when translating to intervals > > Otherwise, internal location reports: > > # nft -f ruleset.nft > internal:0:0-0: Error: Could not process rule: File exists > > after this patch: > > # nft -f ruleset.nft > ruleset.nft:402:1-16: Error: Could not process rule: File exists > 1.2.3.0/30, > ^^^^^^^^^^^ > > it fixes error reporting, so at least it is possible to know what element > already exists. This will be included in the next release (1.0.8). > > Once error reporting is fixed, next step would be to validate whether EEXIST > is legitimate or bogus, via listing the set to check for overlaps, you could > also use 'get element' command. > > Thanks.The errors are emitted by dnsmasq which is linked with libnftnl, but it's not convenient for me to replace libnftnl at this time. I use dnsmasq ipset insertion as a reference and catch what element insertion causes an error and use nftables from git HEAD to verify it. I managed to catch such errors. -- snip -- set TUNNELv4 { type ipv4_addr flags interval,timeout timeout 6h comment "through tunnel" elements = { <entries removed for clearness> 23.204.139.144 expires 4h53m56s420ms, 23.204.139.145 expires 4h53m56s420ms, 23.209.45.25 expires 5h59m39s492ms, 23.209.45.26 expires 2h49s692ms, 23.209.45.27 expires 5h59m39s496ms, 23.209.45.32 expires 5h59m39s484ms, 23.209.45.33 expires 5h59m39s488ms, 23.209.45.34 expires 5h59m39s496ms, 34.83.54.130 expires 1h59m38s616ms, 34.104.35.123 expires 5m25s176ms, <entries removed for clearness> } -- snip -- But -- snip -- # build/nftables/src/nft add element inet mangle TUNNELv4 { 23.209.45.72 } Error: Could not process rule: File exists add element inet mangle TUNNELv4 { 23.209.45.72 } ^^^^^^^^^^^^ -- snip -- The element is not in the set. I once thought the element was inserted and expired and then couldn't be inserted again. But after looking at logs, I'd say it had never been inserted before the first error. After I reloaded nft ruleset, the insertion of this element can be successful. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230721/aced7258/attachment.html>
Reasonably Related Threads
- [Bug 1650] fail to add missing element to nft sets after running some time - file exists
- Dell PowerEdge 1650
- CESA-2018:1650 Important CentOS 6 java-1.8.0-openjdk Security Update
- CESA-2019:1650 Low CentOS 6 qemu-kvm Security Update
- [Bug 1650] fail to add missing element to nft sets after running some time - file exists