[Bug 1451] New: nft add element fails when preceded by nft get element or nft delete element commands

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Aug 20 06:16:45 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1451

            Bug ID: 1451
           Summary: nft add element fails when preceded by nft get element
                    or nft delete element commands
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: oliver at urbanotter.com
                CC: kfm at plushkava.net

Hello,

Running on Ubuntu 20.04 with kernel 5.8.1 and nftable 0.9.6.

I've come across some odd behaviour while scripting nft commands. The script
updates nftables sets with ipv4 or ipv6 addresses in a loop. The sets have the
timeout flag set.


When I use a straight 'nft add element inet filter "$SET" { $j" }' command in a
for loop, each item ($j) is added to a set ($SET). If an element already
exists, I get the expected error: Error: Could not process rule: File exists.
That's fine. It's expected. This is not the problem. Any element that doesn't
exist in the set does get properly added 100% of the time.

I recently updated the script to include a 'nft get element inet filter "$SET"
{ "$j" }' command prior to the nft add command. If the element exists, no error
appears and subsequent commands run correctly. If the element does not exist, I
get the expected error: Error: Could not process rule: No such file or
directory. That's also fine and expected and this is also not the problem.

The problem occurs when I run the nft get command, receive the error that the
element DOES NOT exist, then run the nft add command. In this scenario, I get
the following error off the nft add command which IS NOT expected: Error: Could
not process rule: File exists.

Here's an eval debug output of one such sequence IN REVERSE ORDER starting at
te bottom (comes from journalctl -r):

Aug 20 03:28:48 lab-migw bash[2759658]: ATTEMPTED ADD OPERATION BELOW - add
54.175.52.184 to report_cb_4
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Error: Could not process rule: File
exists
Aug 20 03:28:48 lab-migw bash[2760837]: 54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate value
Aug 20 03:28:48 lab-migw bash[2760837]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate symbol
Aug 20 03:28:48 lab-migw bash[2760837]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760837]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate set element
Aug 20 03:28:48 lab-migw bash[2760837]: { $54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]:                                    
^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate set
Aug 20 03:28:48 lab-migw bash[2760837]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760837]: add element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760837]: Evaluate add
Aug 20 03:28:48 lab-migw bash[2759658]: ATTEMPTED GET OPERATION BELOW - get
54.175.52.184 from report_cb_4
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Error: Could not process rule: No such
file or directory
Aug 20 03:28:48 lab-migw bash[2760836]: 54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate value
Aug 20 03:28:48 lab-migw bash[2760836]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate symbol
Aug 20 03:28:48 lab-migw bash[2760836]: $54.175.52.184
Aug 20 03:28:48 lab-migw bash[2760836]:                                      
^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate set element
Aug 20 03:28:48 lab-migw bash[2760836]: { $54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]:                                    
^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate set
Aug 20 03:28:48 lab-migw bash[2760836]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 20 03:28:48 lab-migw bash[2760836]: get element inet filter report_cb_4 {
54.175.52.184 }
Aug 20 03:28:48 lab-migw bash[2760836]: Evaluate get

Code to reproduce quickly is here:

    IFS=' ' read -ra TEMP <<< "$RAW_RESULTS"

    for j in ${TEMP[*]}; do
      nft -d eval get element inet filter "$SET" { "$j" }
      printf "%s\n" "ATTEMPTED GET OPERATION - get $j from $SET"
      nft -d eval add element inet filter "$SET" { "$j" }
      printf "%s\n" "ATTEMPTED ADD OPERATION - add $j to $SET"
    done

where $RAW_RESULTS is just a string of ipv4 or ipv6 addresses separated by a
single blank space (which I've verified is only a single blank space).

I've believe I've also seen this behaviour where an 'nft delete element inet
filter "$SET" { "$j" }' command is used in place of the nft get command.

This is a blocker for me right now as I need to be able to update these sets so
the timers reset when there's an update. To do this, I:

1) nft get (to confirm if the element exists)
2) nft delete (if the element exists)
3) nft add (after a delete or if the element does not exist)

I'm presently getting the above errors each time an element DOES NOT exist or
in some situations where an nft delete is performed (I don't have logs for that
one right now). As such, my sets are not only not updating but they are losing
elements because the elements get deleted and not replaced! Some sets have 100
or more elements, some only have 1.

Any help would be appreciated.

Regards,
Oliver

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200820/5e001d73/attachment.html>

More information about the netfilter-buglog mailing list