[Bug 1650] fail to add missing element to nft sets after running some time - file exists

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jul 21 21:07:48 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1650

--- Comment #5 from Wang Jian <larkwang at gmail.com> ---
>
> This internal:0:0-0 is incorrect error reporting.
>
> Could you run nftables with git HEAD? It contains this fix:
>
> commit 5e39a34b196d68b803911aa13066fef2f83dc98c
> Author: Pablo Neira Ayuso <pablo at netfilter.org>
> Date:   Mon Mar 27 16:36:31 2023 +0200
>
>     intervals: use expression location when translating to intervals
>
>     Otherwise, internal location reports:
>
>      # nft -f ruleset.nft
>      internal:0:0-0: Error: Could not process rule: File exists
>
>     after this patch:
>
>      # nft -f ruleset.nft
>      ruleset.nft:402:1-16: Error: Could not process rule: File exists
>      1.2.3.0/30,
>      ^^^^^^^^^^^
>
> it fixes error reporting, so at least it is possible to know what element
> already exists. This will be included in the next release (1.0.8).
>
> Once error reporting is fixed, next step would be to validate whether EEXIST
> is legitimate or bogus, via listing the set to check for overlaps, you could
> also use 'get element' command.
>
> Thanks.

The errors are emitted by dnsmasq which is linked with libnftnl, but it's not
convenient for me to replace libnftnl at this time.

I use dnsmasq ipset insertion as a reference and catch what element insertion
causes an error and use nftables from git HEAD to verify it.

I managed to catch such errors.

-- snip --
        set TUNNELv4 {
                type ipv4_addr
                flags interval,timeout
                timeout 6h
                comment "through tunnel"
                elements = {
<entries removed for clearness>
                             23.204.139.144 expires 4h53m56s420ms,
23.204.139.145 expires 4h53m56s420ms,
                             23.209.45.25 expires 5h59m39s492ms, 23.209.45.26
expires 2h49s692ms,
                             23.209.45.27 expires 5h59m39s496ms, 23.209.45.32
expires 5h59m39s484ms,
                             23.209.45.33 expires 5h59m39s488ms, 23.209.45.34
expires 5h59m39s496ms,
                             34.83.54.130 expires 1h59m38s616ms, 34.104.35.123
expires 5m25s176ms,
<entries removed for clearness>
                 }
-- snip --

But

-- snip --
# build/nftables/src/nft add element inet mangle TUNNELv4 { 23.209.45.72 }
Error: Could not process rule: File exists
add element inet mangle TUNNELv4 { 23.209.45.72 }
                                   ^^^^^^^^^^^^
-- snip --

The element is not in the set. I once thought the element was inserted and
expired and then couldn't be inserted again. But after looking at logs, I'd say
it had never been inserted before the first error.

After I reloaded nft ruleset, the insertion of this element can be successful.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230721/aced7258/attachment.html>

More information about the netfilter-buglog mailing list