[Bug 1697] New: Errors when running "nft -o" optimizer due to "counter return"

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Jul 31 12:04:32 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1697

            Bug ID: 1697
           Summary: Errors when running "nft -o" optimizer due to "counter
                    return"
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: apachez at gmail.com

Created attachment 720
  --> https://bugzilla.netfilter.org/attachment.cgi?id=720&action=edit
Ruleset that triggers the error in nft optimizer

It turns out that nft optimizer (nft -o) will produce errors such as:

# internal:0:0-0: Error: Could not process rule: File exists

The above turned out to be due to that chains looked like this:

chain VZONE_wg8 {
    iifname "wg8" counter return
    iifname "eth1" counter jump NAME_lan-wg8
    iifname "eth1" counter return
    iifname "eth3" counter jump NAME_mullvadgb-wg8
    iifname "eth3" counter return
    iifname "eth2" counter jump NAME_mullvadus-wg8
    iifname "eth2" counter return
    iifname "eth0" counter jump NAME_wan-wg8
    iifname "eth0" counter return
    iifname "wg0" counter jump NAME_wg0-wg8
    iifname "wg0" counter return
    iifname "wg1" counter jump NAME_wg1-wg8
    iifname "wg1" counter return
    iifname "wg7" counter jump NAME_wg7-wg8
    iifname "wg7" counter return
    counter drop comment "zone_wg8 default-action drop"
}

where the workaround was to adjust the "counter return" into just "return" like
so (however the first "counter return" was accepted by the nft optimizer?):

chain VZONE_wg8 {
    iifname "wg8" counter return
    iifname "eth1" counter jump NAME_lan-wg8
    iifname "eth1" return
    iifname "eth3" counter jump NAME_mullvadgb-wg8
    iifname "eth3" return
    iifname "eth2" counter jump NAME_mullvadus-wg8
    iifname "eth2" return
    iifname "eth0" counter jump NAME_wan-wg8
    iifname "eth0" return
    iifname "wg0" counter jump NAME_wg0-wg8
    iifname "wg0" return
    iifname "wg1" counter jump NAME_wg1-wg8
    iifname "wg1" return
    iifname "wg7" counter jump NAME_wg7-wg8
    iifname "wg7" return
    counter drop comment "zone_wg8 default-action drop"
}

With above workaround nft optimizer (nft -o) accepted the backup-file (it
already had "flush ruleset" added to the first line):

# nft -c -o -f /path/backup.nft

The system is a VyOS 1.4-rolling release (particular box used VyOS
1.4-rolling-202307250317) which is based on Debian 12.1 (bookworm).

Package installed: nftables 1.0.6-2+deb12u1.

Output of "nft -V":

nftables v1.0.6 (Lester Gooch #5)
  cli:        editline
  json:        yes
  minigmp:    no
  libxtables:    yes

Using kernel:

Linux vyos 6.1.40-amd64-vyos #1 SMP PREEMPT_DYNAMIC Sun Jul 23 21:10:16 UTC
2023 x86_64 GNU/Linux

Discussion available at:
https://forum.vyos.io/t/geoip-optimise-address-ranges/11677

Also attached "ruleset_230731.txt.gz" which triggers the error with nft
optimizer.

The ruleset have been created by "nft -s list ruleset" and added "flush
ruleset" as the first line.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230731/00645300/attachment.html>

More information about the netfilter-buglog mailing list