nft -o (optimizing ruleset) fails with error: "internal:0:0-0: Error: Could not process rule: File exists"
Open, WishlistPublicBUG
Actions

Assigned To

None

Authored By

	Apachez
	Jul 29 2023, 9:44 PM

Description

Elements (and other objects) should be one per line instead of multiple objects in a large line according to:

https://www.spinics.net/lists/netfilter/msg61029.html

I recommend you split that superlong line in your 2_fill_set.nft and
3_fill_set.nft files, for example:

# cat ruleset.nft
table netdev filter {
        set mySet {
                typeof ip saddr
                flags interval
                elements={
                        1.2.3.1/32,
                        1.2.6.3/32,
                        1.2.8.12/32,
                        ...
                }
        }
}

instead of:

# cat ruleset.nft
table netdev filter {
        set mySet {
                typeof ip saddr
                flags interval
                elements={1.2.3.1/32,1.2.6.3/32,1.2.8.12/32,...
                }
        }
}

This way errors such as:

internal:0:0-0: Error: Could not process rule: File exists

would get a better error message of whats actually being wrong.

In this particular case a user with a large ruleset due to use of GeoIP fails to optimize its ruleset with "-o" option as in:

https://forum.vyos.io/t/geoip-optimise-address-ranges/11677

Ref: http://git.netfilter.org/nftables/commit/?id=5e39a34b196d68b803911aa13066fef2f83dc98c

Details

Version: VyOS 1.4-rolling-202307250317
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

Apachez created this task.Jul 29 2023, 9:44 PM

This particular case was resolved by adding:

flush ruleset

to beginning of the ruleset.txt one want to optimize.

By cmdline this can be done with:

sudo sed -i '1s/^/flush ruleset\n\n/' /config/ruleset.txt

On the other hand having a proper syntax for ports and IP-addressers can still be a good thing for the future.

Look at how "map ct_iface_map" seems to be created:

map ct_iface_map {                          
         typeof iifname : ct zone 
         elements = { "eth0" : 100,
                      "eth1" : 101,
                      "eth2" : 101,
                      "eth3" : 101,
                      "MGMT" : 100,                           
                      "INTERNET" : 101 }
 }

pasik subscribed.Jul 30 2023, 7:45 AM

Viacheslav triaged this task as Wishlist priority.Aug 1 2023, 8:28 AM

Viacheslav changed the subtype of this task from "Bug" to "Feature Request".

There is a bugzilla opened for this issue: https://bugzilla.netfilter.org/show_bug.cgi?id=1697

It turns out that nft optimizer (nft -o) will produce errors such as:

# internal:0:0-0: Error: Could not process rule: File exists

The above turned out to be due to that chains looked like this:

chain VZONE_wg8 {
	iifname "wg8" counter return
	iifname "eth1" counter jump NAME_lan-wg8
	iifname "eth1" counter return
	iifname "eth3" counter jump NAME_mullvadgb-wg8
	iifname "eth3" counter return
	iifname "eth2" counter jump NAME_mullvadus-wg8
	iifname "eth2" counter return
	iifname "eth0" counter jump NAME_wan-wg8
	iifname "eth0" counter return
	iifname "wg0" counter jump NAME_wg0-wg8
	iifname "wg0" counter return
	iifname "wg1" counter jump NAME_wg1-wg8
	iifname "wg1" counter return
	iifname "wg7" counter jump NAME_wg7-wg8
	iifname "wg7" counter return
	counter drop comment "zone_wg8 default-action drop"
}

where the workaround was to adjust the "counter return" into just "return" like so (however the first "counter return" was accepted by the nft optimizer?):

chain VZONE_wg8 {
	iifname "wg8" counter return
	iifname "eth1" counter jump NAME_lan-wg8
	iifname "eth1" return
	iifname "eth3" counter jump NAME_mullvadgb-wg8
	iifname "eth3" return
	iifname "eth2" counter jump NAME_mullvadus-wg8
	iifname "eth2" return
	iifname "eth0" counter jump NAME_wan-wg8
	iifname "eth0" return
	iifname "wg0" counter jump NAME_wg0-wg8
	iifname "wg0" return
	iifname "wg1" counter jump NAME_wg1-wg8
	iifname "wg1" return
	iifname "wg7" counter jump NAME_wg7-wg8
	iifname "wg7" return
	counter drop comment "zone_wg8 default-action drop"
}

With above workaround nft optimizer (nft -o) accepted the backup-file (it already had "flush ruleset" added to the first line):

# nft -c -o -f /path/backup.nft

There is currently one comment from 2023-07-31:

One of the bugs in this ruleset is fixed here:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230731112424.69600-1-pablo@netfilter.org/

This patches fixes the strange BUG displayed in 
https://forum.vyos.io/t/geoip-optimise-address-ranges/11677
as:

BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted

It is also suggested by mailthread that "goto" could be used instead of "jump" in this case. I guess this will be included in the ongoing firewall refactoring?

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:02 AM

dmbaturin added a project: Bugs.Sep 15 2024, 5:04 PM

syncer edited projects, added VyOS Rolling; removed VyOS 1.4 Sagitta (1.4.0-GA).Oct 30 2024, 5:56 PM

syncer moved this task from Need Triage to Backlog - Bug on the VyOS Rolling board.

syncer changed the subtype of this task from "Feature Request" to "Bug".

syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM

nft -o (optimizing ruleset) fails with error: "internal:0:0-0: Error: Could not process rule: File exists" Open, WishlistPublicBUGActions

Description

Details

Event Timeline

nft -o (optimizing ruleset) fails with error: "internal:0:0-0: Error: Could not process rule: File exists"
Open, WishlistPublicBUG
Actions