Sample Header Ad - 728x90

nft — Can not add element back to set after it has been removed (in OpenVZ container)

0 votes
0 answers
1088 views
linux nftables openvz
I encountered strange problem with Nftables which I don't understand. This is the sequence of a commands which lead to my state: 
~# nft add table inet firewall
~# nft add set inet firewall blacklist4 \{ typeof ip saddr \; flags interval \; auto-merge \; \}
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/25 \}
~# nft add element inet firewall blacklist4 \{ 192.0.2.128/25 \}
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
                elements = { 192.0.2.0/25, 192.0.2.128/25 }
        }
}
So far, so good. Notice it was not automatically merged two halves of the /24 network into a single record, which I expected, and I found that I am not the first who noticed this: https://www.spinics.net/lists/netfilter/msg58958.html Now, at this state it won't let me add the "combined" nor "partial" range element: 
~# nft add element inet firewall blacklist4 \{ 192.0.2.128/26 \}
Error: interval overlaps with an existing one
add element inet firewall blacklist4 { 192.0.2.128/26 }
                                       ^^^^^^^^^^^^^^
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.128/26 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: interval overlaps with an existing one
add element inet firewall blacklist4 { 192.0.2.0/24 }
                                       ^^^^^^^^^^^^
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
So removing both elements and checking: 
~# nft delete element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: interval not found in set
delete element inet firewall blacklist4 { 192.0.2.0/24 }
                                          ^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
delete element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft delete element inet firewall blacklist4 \{ 192.0.2.0/25 \}
~# nft delete element inet firewall blacklist4 \{ 192.0.2.128/25 \}
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
        }
}
I intentionally tried to remove the combined one first, because it was said earlier that "file exists". But it turned out it only exists when adding, but not when removing. The last command shows the set is empty; now let's add something back: 
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/25 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/25 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/26 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/26 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
        }
}
I can't add the same, the super block or the partial block, it says "file exists". Why? Where? The list command keeps saying the set is empty. How to add it back now? It is possible to reset this by flushing the set. However, it is this test set is empty, but in the real life it will have other data. This behaviour is retained if the set is created without auto-merge. If I remove flags interval, it works as expected, but only with individual IP addresses. This is OpenVZ system, 3.10.0-1160.42.2.vz7.184.10 #1 SMP Fri Dec 31 04:05:16 MSK 2021 x86_64 GNU/Linux. Could it be connected to that? nft version is nftables v0.9.8 (E.D.S.), the system is freshly updated Debian Bullseye.
Asked by Nikita Kipriyanov (1779 rep)
May 27, 2022, 12:07 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "linux"
More questions tagged "nftables"
More questions tagged "openvz"
Footer Ad - 728x90