<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nftables: set does not work within inet table with option flags interval"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1071">1071</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nftables: set does not work within inet table with option flags interval
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jason.lee.campbell@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>I'm using nftables to combine my IPv4 and IPv6 into one ruleset, so using a
single inet table. This allows for single line edits, such as when I want to
enable ssh in, instead of editing two separate entries. I imagine separating
the rules would work, but defeats the purpose of allowing only a single line
edit.

I'm to the point that I want to import my text file of blocked IP subnets, so
tried using set within an inet table. To allow subnets, the option flags
interval appears to be required. However, when I check the rules (nft -n -f
firewall.rules) with flags interval, I receive Operation not permitted. Without
the flags interval option, the rule check works, but then unable to add subnets
to the set.

I have run strace on the rule check, and here's the difference I have found.
The last line given in each example differ, where rule check working is
127.0.0.1 and rule check not working is ::ffff:127.0.0.1.

I am using the following versions, compiled today (5/31).

libnftnl-1.0.6-x86_64-1
nftables-e049f92bb7b98dfa218eda2b9b6f14506238abf2-x86_64-1


Without flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(45890), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38754), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0


With flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(53024), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38635), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>