<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Errors when running "nft -o" optimizer due to "counter return""
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1697">1697</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Errors when running "nft -o" optimizer due to "counter return"
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.0.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>apachez@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=720" name="attach_720" title="Ruleset that triggers the error in nft optimizer">attachment 720</a> <a href="attachment.cgi?id=720&action=edit" title="Ruleset that triggers the error in nft optimizer">[details]</a></span>
Ruleset that triggers the error in nft optimizer
It turns out that nft optimizer (nft -o) will produce errors such as:
# internal:0:0-0: Error: Could not process rule: File exists
The above turned out to be due to that chains looked like this:
chain VZONE_wg8 {
iifname "wg8" counter return
iifname "eth1" counter jump NAME_lan-wg8
iifname "eth1" counter return
iifname "eth3" counter jump NAME_mullvadgb-wg8
iifname "eth3" counter return
iifname "eth2" counter jump NAME_mullvadus-wg8
iifname "eth2" counter return
iifname "eth0" counter jump NAME_wan-wg8
iifname "eth0" counter return
iifname "wg0" counter jump NAME_wg0-wg8
iifname "wg0" counter return
iifname "wg1" counter jump NAME_wg1-wg8
iifname "wg1" counter return
iifname "wg7" counter jump NAME_wg7-wg8
iifname "wg7" counter return
counter drop comment "zone_wg8 default-action drop"
}
where the workaround was to adjust the "counter return" into just "return" like
so (however the first "counter return" was accepted by the nft optimizer?):
chain VZONE_wg8 {
iifname "wg8" counter return
iifname "eth1" counter jump NAME_lan-wg8
iifname "eth1" return
iifname "eth3" counter jump NAME_mullvadgb-wg8
iifname "eth3" return
iifname "eth2" counter jump NAME_mullvadus-wg8
iifname "eth2" return
iifname "eth0" counter jump NAME_wan-wg8
iifname "eth0" return
iifname "wg0" counter jump NAME_wg0-wg8
iifname "wg0" return
iifname "wg1" counter jump NAME_wg1-wg8
iifname "wg1" return
iifname "wg7" counter jump NAME_wg7-wg8
iifname "wg7" return
counter drop comment "zone_wg8 default-action drop"
}
With above workaround nft optimizer (nft -o) accepted the backup-file (it
already had "flush ruleset" added to the first line):
# nft -c -o -f /path/backup.nft
The system is a VyOS 1.4-rolling release (particular box used VyOS
1.4-rolling-202307250317) which is based on Debian 12.1 (bookworm).
Package installed: nftables 1.0.6-2+deb12u1.
Output of "nft -V":
nftables v1.0.6 (Lester Gooch #5)
cli: editline
json: yes
minigmp: no
libxtables: yes
Using kernel:
Linux vyos 6.1.40-amd64-vyos #1 SMP PREEMPT_DYNAMIC Sun Jul 23 21:10:16 UTC
2023 x86_64 GNU/Linux
Discussion available at:
<a href="https://forum.vyos.io/t/geoip-optimise-address-ranges/11677">https://forum.vyos.io/t/geoip-optimise-address-ranges/11677</a>
Also attached "ruleset_230731.txt.gz" which triggers the error with nft
optimizer.
The ruleset have been created by "nft -s list ruleset" and added "flush
ruleset" as the first line.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>