[pkg-netfilter-team] Bug#1063993: Cannot "list set" multiple differently-typed sets in one process

Trent W. Buck trentbuck at gmail.com
Thu Feb 15 11:47:08 GMT 2024 

Package: nftables
Version: 1.0.6-2+deb12u2
Severity: minor

In production I wanted to list two sets and count how many elements are in each:

    $ sudo nft -json 'list set inet my_filter my_IPS_IPv4_blacklist' | jq '.nftables[1].set.elem | length'
    33

When I tried to list both sets at once (IPv4 & IPv6), nft gave confusing errors.
Below is the smallest test ruleset I found that reproduces the problem.

    bash5$ sudo ip netns add delete-me

    bash5$ sudo ip netns exec delete-me nft 'flush ruleset; table inet x { set xs { type ipv4_addr; }; set ys { type ipv6_addr; }; }'

    bash5$ sudo ip netns exec delete-me nft list ruleset
    table inet x {
            set xs {
                    type ipv4_addr
            }

            set ys {
                    type ipv6_addr
            }
    }

    bash5$ sudo ip netns exec delete-me nft 'list set inet x xs'
    table inet x {
            set xs {
                    type ipv4_addr
            }
    }

    bash5$ sudo ip netns exec delete-me nft 'list set inet x ys'
    table inet x {
            set ys {
                    type ipv6_addr
            }
    }

    bash5$ sudo ip netns exec delete-me nft 'list set inet x xs; list set inet x xs'
    table inet x {
            set xs {
                    type ipv4_addr
            }
    }
    table inet x {
            set xs {
                    type ipv4_addr
            }
    }

    bash5$ sudo ip netns exec delete-me nft 'list set inet x ys; list set inet x ys'
    table inet x {
            set ys {
                    type ipv6_addr
            }
    }
    table inet x {
            set ys {
                    type ipv6_addr
            }
    }

    bash5$ sudo ip netns exec delete-me nft 'list set inet x xs; list set inet x ys'
    Error: No such file or directory; did you mean set ‘ys’ in table inet ‘x’?
    list set inet x xs; list set inet x ys
                    ^^

    bash5$ sudo ip netns exec delete-me nft 'list set inet x ys; list set inet x xs'
    Error: No such file or directory; did you mean set ‘xs’ in table inet ‘x’?
    list set inet x ys; list set inet x xs
                    ^^

    bash5$ /sbin/nft --version
    nftables v1.0.6 (Lester Gooch #5)

    bash5$ uname -a
    Linux hera 6.5.0-0.deb12.4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.10-1~bpo12+1 (2023-11-23) x86_64 GNU/Linux

    bash5$ dpkg-query -W linux-image-amd64 nftables
    linux-image-amd64	6.5.10-1~bpo12+1
    nftables	1.0.6-2+deb12u2


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-0.deb12.4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  libc6         2.36-9+deb12u4
ii  libedit2      3.1-20221030-2
ii  libnftables1  1.0.6-2+deb12u2

Versions of packages nftables recommends:
ii  netbase  6.4

Versions of packages nftables suggests:
pn  firewalld  <none>

-- Configuration Files:
/etc/nftables.conf changed [not included]

-- no debconf information

More information about the pkg-netfilter-team mailing list