[pkg-netfilter-team] Bug#914397: nftables: after Stretch->Buster upgrade, named set needs "auto-merge"
Arturo Borrero Gonzalez
aborrero at wikimedia.org
Fri Nov 23 11:03:14 GMT 2018
Control: fixed -1 0.9.0-1
On Fri, 23 Nov 2018 08:52:01 +0100 Gert <t2 at gert.gr> wrote:
> After analyzing my config, I can now give a full example.
> The subnet came from a geoblock list, the separate host came from an
> abusers list.
> That causes the conflict in Buster (which can be fixed with auto-merge).
> And I tried it again on a different Stretch machine, and it indeed works
> fine.
> (Sorry, I could also have done all this for the first report, I now
> realize).
>
> #!/usr/sbin/nft -f
> table ip filter {
> set blacklist {
> type ipv4_addr
> flags interval
> elements = {
> 192.0.2.0/24,
> 192.0.2.1
> }
> # auto-merge # uncomment this to fix in Buster
> }
> }
>
>
sets with intervals had several flags prior to this release. The
'auto-merge' feature was introduce to handle these failures. So, this is
not really a bug, but a feature :-)
Closing bug now, feel free to reopen.
More information about the pkg-netfilter-team
mailing list