Discussion:
errors found in nftable docs on wiki
Jonathan Johnson
2014-06-28 19:13:35 UTC
Permalink
http://wiki.nftables.org/wiki-nftables/index.php/Sets

States this works and it does not.


nft add set filter blackhole { type ipv4_address\;}

after reviewing the source code I discovered this is correct:


nft add set filter blackhole { type ipv4_addr\;}


after using the correct syntax I get this error, which I have not
troubleshooted.


I modprobed all the modules starting with nft* one at a time.


<cmdline>:1:26-42: Error: Could not add set: No such file or directory

Jonathan
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-06-29 10:12:50 UTC
Permalink
Post by Jonathan Johnson
http://wiki.nftables.org/wiki-nftables/index.php/Sets
States this works and it does not.
nft add set filter blackhole { type ipv4_address\;}
nft add set filter blackhole { type ipv4_addr\;}
Fixed, thanks for reporting.
Post by Jonathan Johnson
after using the correct syntax I get this error, which I have not
troubleshooted.
I modprobed all the modules starting with nft* one at a time.
<cmdline>:1:26-42: Error: Could not add set: No such file or directory
I guess you forgot to create the filter table?

http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jonathan Johnson
2014-06-29 14:51:13 UTC
Permalink
I followed your example and no go.

/sbin/nft add table ip blackhole
nft list tables
results: blackhole

nft add set filter blackhole { type ipv4_addr\;}
<cmdline>:1:26-42: Error: Could not add set: No such file or directory


Please send me a complete example.
I am trying to migrate my blacklist from ipset/iptables to nft since I
have 33,110 entries and counting. I want to block all forms of
communication with there ip addresses. I want to see how nft performs
by comparison. Does nft have the 65,535 limit for list size?

Jonathan
Post by Pablo Neira Ayuso
Post by Jonathan Johnson
http://wiki.nftables.org/wiki-nftables/index.php/Sets
States this works and it does not.
nft add set filter blackhole { type ipv4_address\;}
nft add set filter blackhole { type ipv4_addr\;}
Fixed, thanks for reporting.
Post by Jonathan Johnson
after using the correct syntax I get this error, which I have not
troubleshooted.
I modprobed all the modules starting with nft* one at a time.
<cmdline>:1:26-42: Error: Could not add set: No such file or directory
I guess you forgot to create the filter table?
http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2014-07-01 06:32:29 UTC
Permalink
Post by Jonathan Johnson
I followed your example and no go.
/sbin/nft add table ip blackhole
nft list tables
results: blackhole
nft add set filter blackhole { type ipv4_addr\;}
<cmdline>:1:26-42: Error: Could not add set: No such file or director=
y
The syntax is:

nft add set <family> <table> <setname> { type ... }

So, you are adding a set named 'blackhole' in a table named 'filter'.

I would suggest to create the filter table.
--=20
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jonathan Johnson
2014-07-02 04:44:33 UTC
Permalink
I tried to implement the syntax above with no luck. I have no idea
what I am supposed to do, and I am blindly stabbing around with trial
and error trying to figure this out. Why don't you just provide me
with a complete example and make it easy for me? All the examples I
find are broken,wrong, or incomplete.

Jonathan

On Tue, Jul 1, 2014 at 1:32 AM, Arturo Borrero Gonzalez
Post by Arturo Borrero Gonzalez
Post by Jonathan Johnson
I followed your example and no go.
/sbin/nft add table ip blackhole
nft list tables
results: blackhole
nft add set filter blackhole { type ipv4_addr\;}
<cmdline>:1:26-42: Error: Could not add set: No such file or directo=
ry
Post by Arturo Borrero Gonzalez
nft add set <family> <table> <setname> { type ... }
So, you are adding a set named 'blackhole' in a table named 'filter'.
I would suggest to create the filter table.
--
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2014-07-02 06:56:19 UTC
Permalink
Post by Jonathan Johnson
I tried to implement the syntax above with no luck. I have no idea
what I am supposed to do, and I am blindly stabbing around with trial
and error trying to figure this out. Why don't you just provide me
with a complete example and make it easy for me? All the examples I
find are broken,wrong, or incomplete.
Well, I just succesfully tested this:

nft add table blackhole
nft list table blackhole
table ip blackhole {
}

nft add set blackhole set1 { type ipv4_addr\; }

nft list table blackhole
table ip blackhole {
set set1 {
type ipv4_addr
}
}

nft add element blackhole set1 {1.1.1.1, 2.2.2.2, 3.3.3.3}

nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}
}

nft add chain blackhole chain1
nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}

chain chain1 {
}
}

nft add rule blackhole chain1 ip saddr @set1 counter accept
nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}

chain chain1 {
ip saddr @set1 counter packets 0 bytes 0 accept
}
}

--=20
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jonathan Johnson
2014-07-03 00:55:38 UTC
Permalink
after:
nft add rule blackhole chain1 ip saddr @set1 counter accept

result:

nft[23409]: segfault at 7f8f5b809bbe ip 00007f8e9fe71f4e sp
00007fff6829d178 error 4 in libc-2.18.so[7f8e9fde2000+1a5000]

after that I proceeded to populate the list and got additional errors.
I used:
for i in `cat all3.txt`;do nft add element blackhole set1 { $i };done

To start loading in my 30,000+ enteries.

nft: src/netlink.c:205: alloc_nft_setelem: Assertion `expr->ops->type
=3D=3D EXPR_MAPPING' failed.
Aborted

Eventually, after a few hundred it completes. Does nft support cidr
(1.1.1.0/24) notation?

So I guess the segmentation fault is my last problem.

Jonathan


On Wed, Jul 2, 2014 at 1:56 AM, Arturo Borrero Gonzalez
Post by Arturo Borrero Gonzalez
Post by Jonathan Johnson
I tried to implement the syntax above with no luck. I have no idea
what I am supposed to do, and I am blindly stabbing around with tria=
l
Post by Arturo Borrero Gonzalez
Post by Jonathan Johnson
and error trying to figure this out. Why don't you just provide me
with a complete example and make it easy for me? All the examples I
find are broken,wrong, or incomplete.
nft add table blackhole
nft list table blackhole
table ip blackhole {
}
nft add set blackhole set1 { type ipv4_addr\; }
nft list table blackhole
table ip blackhole {
set set1 {
type ipv4_addr
}
}
nft add element blackhole set1 {1.1.1.1, 2.2.2.2, 3.3.3.3}
nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}
}
nft add chain blackhole chain1
nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}
chain chain1 {
}
}
nft list table blackhole -nnn
table ip blackhole {
set set1 {
type ipv4_addr
elements =3D { 3.3.3.3, 2.2.2.2, 1.1.1.1}
}
chain chain1 {
}
}
--
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2014-07-03 15:23:25 UTC
Permalink
Post by Jonathan Johnson
nft[23409]: segfault at 7f8f5b809bbe ip 00007f8e9fe71f4e sp
00007fff6829d178 error 4 in libc-2.18.so[7f8e9fde2000+1a5000]
after that I proceeded to populate the list and got additional errors=
=2E
Post by Jonathan Johnson
for i in `cat all3.txt`;do nft add element blackhole set1 { $i };done
To start loading in my 30,000+ enteries.
nft: src/netlink.c:205: alloc_nft_setelem: Assertion `expr->ops->type
=3D=3D EXPR_MAPPING' failed.
Aborted
Eventually, after a few hundred it completes. Does nft support cidr
(1.1.1.0/24) notation?
So I guess the segmentation fault is my last problem.
Ok, let's trace the problem. Maybe you are hitting a bug :)

1) Please, send the version of the kernel, nftables, libnftnl, libmnl
and the name of your distro.
2) Please, rerun the command with valgrind, and send here the result.
# valgrind nft add rle blackhole chain1 ip saddr @set1 counter accept
3) I note now that I named 'blackhole' the table, while in your
original mail, you named 'blackhole' the set. Please, check that.

Please, give us a bit of more info so we can be more helpful.

Thanks, regards.
--=20
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...