<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Error when atomically replacing rules with symbolic variables"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1358">1358</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Error when atomically replacing rules with symbolic variables

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>other

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>blocker

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>gdouezangrard@gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=567" name="attach_567" title="master compilation log">attachment 567</a> <a href="attachment.cgi?id=567&action=edit" title="master compilation log">[details]</a></span>

master compilation log

OS: Arch Linux

Kernel: Linux 5.2.2-arch1-1-ARCH

nftables: v0.9.1

With the following `/etc/nftables.conf` file:

  #!/sbin/nft -f

  define ifs = {lo}

  table inet filter {

    chain input {

      type filter hook input priority 0; policy drop;

    }

  }

  inet filter input iifname $ifs accept

The atomic rule replacement gives the following error:

  $ nft flush ruleset ';' include '"/etc/nftables.conf"'

  In file included from (null):1:17-51:

  /etc/nftables.conf:13:19-37: Error: Could not process rule: No such file or

directory

  inet filter input iifname $ifs accept

                    ^^^^^^^^^^^^^^^^^^^

On the contrary, the following commands work as expected:

  $ nft flush ruleset

  $ nft -f /etc/nftables.conf

Reverting to `nftables v0.9.0` also fixes the issue in the case of atomic

replacement.

Through git bisect, the first offending commit found is:

  e5382c0 ("src: Support intra-transaction rule references")

Not sure if it is fixed on master or not, I cannot compile it (make error log

as attachment).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>