[Bug 1451] nft add element fails when preceded by nft get element or nft delete element commands
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Aug 25 07:26:02 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1451
--- Comment #9 from Oliver O'Boyle <oliver at urbanotter.com> ---
Ok, I'm now getting the same results as you mention in comment 4. I tried for
hours to reproduce it as per the logs below, but can't. I'm thinking that I may
have been using a more complex set of instructions that included a 'delete'
command in there when I grabbed the logs. I simplified it after to what I
posted in this bug, however. I say that because I can reproduce the error when
I insert a 'delete' in between the 'get' and 'add'.
This is what I'm using now, and it generates errors on the 'add':
IFS=' ' read -ra TEMP <<< "$RAW_RESULTS"
for j in ${TEMP[*]}; do
nft get element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED GET OPERATION #1 - get $j from $SET"
nft delete element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED DEL OPERATION #1 - del $j from $SET"
nft -d eval add element inet filter "$SET" { "$j" }
printf "%s\n" "ATTEMPTED ADD OPERATION #1 - add $j to $SET"
done
Here's a sample set config. They're all the same:
set report_cb_4 {
type ipv4_addr
flags interval,timeout
timeout 1d
elements = { 127.0.0.1 }
}
If you take out the debug command from the 'add', it's easier to follow the
logs. I'm seeing inconsistencies. Sometimes it works, sometimes it doesn't. In
the logs following (in reverse order), you can see the three commands from the
first IP all succeed. In the second IP, the 'add' fails. I can't see any
difference between the two, other than the IP address. And eventually, the one
that failed will usually successfully add its address to the set:
Aug 25 05:21:31 lab-migw bash[255612]:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 25 05:21:31 lab-migw bash[255612]: add element inet filter report_r7_4 {
15.223.60.214 }
Aug 25 05:21:31 lab-migw bash[255612]: Error: Could not process rule: File
exists
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED DEL OPERATION #1 - del
15.223.60.214 from report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED GET OPERATION #1 - get
15.223.60.214 from report_r7_4
Aug 25 05:21:31 lab-migw bash[255610]: }
Aug 25 05:21:31 lab-migw bash[255610]: }
Aug 25 05:21:31 lab-migw bash[255610]: elements = {
15.223.60.214 expires 23h59m32s604ms }
Aug 25 05:21:31 lab-migw bash[255610]: timeout 1d
Aug 25 05:21:31 lab-migw bash[255610]: flags interval,timeout
Aug 25 05:21:31 lab-migw bash[255610]: type ipv4_addr
Aug 25 05:21:31 lab-migw bash[255610]: set report_r7_4 {
Aug 25 05:21:31 lab-migw bash[255610]: table inet filter {
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED ADD OPERATION #1 - add
3.96.72.62 to report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED DEL OPERATION #1 - del
3.96.72.62 from report_r7_4
Aug 25 05:21:31 lab-migw bash[251191]: ATTEMPTED GET OPERATION #1 - get
3.96.72.62 from report_r7_4
Aug 25 05:21:31 lab-migw bash[255607]: }
Aug 25 05:21:31 lab-migw bash[255607]: }
Aug 25 05:21:31 lab-migw bash[255607]: elements = { 3.96.72.62
expires 23h59m32s600ms }
Aug 25 05:21:31 lab-migw bash[255607]: timeout 1d
Aug 25 05:21:31 lab-migw bash[255607]: flags interval,timeout
Aug 25 05:21:31 lab-migw bash[255607]: type ipv4_addr
Aug 25 05:21:31 lab-migw bash[255607]: set report_r7_4 {
Aug 25 05:21:31 lab-migw bash[255607]: table inet filter {
I was going to try the kernel patch today but got pulled away. I should be able
to get to it tomorrow.
Oliver
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200825/6aede4ad/attachment.html>
More information about the netfilter-buglog
mailing list