[pkg-netfilter-team] Bug#914706: nftables: unexpected results using nft file parser

Eike Lohmann e.lohmann at ic3s.de
Mon Nov 26 14:44:29 GMT 2018 

Package: nftables
Version: 0.9.0-1~bpo9+1
Severity: |important|

Dear Maintainer,

nft -f import rules wich can't be deleted afterwards.

root at xmachine1:/home/user/testcase# nft -f /etc/nftables.conf
root at xmachine1:/home/user/testcase# nft -f /tmp/fail
root at xmachine1:/home/user/testcase# nft list ruleset
table ip filter {
    set S1 {
        type ipv4_addr
        flags interval
        elements = { 10.5.0.20/31 }
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }
}
root at xmachine1:/home/user/testcase# nft delete element filter S1 { 10.5.0.20/31 }
Error: Could not process rule: No such file or directory
delete element filter S1 { 10.5.0.20/31 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Content of File /etc/nftables.conf

#!/usr/sbin/nft -f
# Skeleton for nftables

flush ruleset

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0;
    }
}

Content of File /tmp/fail

add set filter S1 { type ipv4_addr; flags interval; }
add element filter S1 { 10.5.0.20/31 }

This does not happen, if we export it with nft and import it back again!

-- System Information:
Debian Release: 9.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (50, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg          1.18.25
ii  libc6         2.24-11+deb9u3
ii  libgmp10      2:6.1.2+dfsg-1
ii  libnftables0  0.9.0-1~bpo9+1
ii  libreadline7  7.0-3

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table ip filter {
    chain FORWARD {
        type filter hook forward priority 0;
    }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20181126/0ce233e4/attachment.html>

More information about the pkg-netfilter-team mailing list