On 11/23/18 1:08 PM, Eike Lohmann wrote:
>
> Hi Arturo,
>
> thanks for your quick reply.
>
> Like described in my example, there is no reference to C_TestChain.
>
I reproduced your steps, and I had multiple issues because your steps
try to delete stuff with external references.
If you don't give me any other information, this is a fail in your
ruleset/workflow a not a bug in nftables.
arturo@endurance:~ $ cat t.nft
#!/usr/sbin/nft -f
# Skeleton for nftables
flush ruleset
table ip filter {
chain FORWARD {
type filter hook forward priority 0;
}
}
arturo@endurance:~ $ cat t2.nft
add chain filter vpn_master
add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; }
add rule filter vpn_master ip saddr vmap @J_TestMap
add chain filter C_TestChain
add set filter M_TestMasterSet {type ipv4_addr ; flags interval ;
elements={ 172.21.138.0/29 } ;}
add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ;
elements={ 172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;}
add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain }
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
@M_TestMasterSet accept
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
@S_TestSlaveSet accept
add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr
@M_TestMasterSet accept
arturo@endurance:~ $ cat t3.nft
flush set filter M_TestMasterSet
flush set filter S_TestSlaveSet
flush map filter J_TestMap
flush chain filter C_TestChain
delete set filter M_TestMasterSet
delete set filter S_TestSlaveSet
arturo@endurance:~ $ sudo nft -f t.nft
arturo@endurance:~ $ sudo nft -f t2.nft
arturo@endurance:~ $ sudo nft -f t3.nft
t3.nft:6:1-34: Error: Could not process rule: Device or resource busy
delete set filter M_TestMasterSet
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
t3.nft:7:1-33: Error: Could not process rule: Device or resource busy
delete set filter S_TestSlaveSet
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
arturo@endurance:~ 1 $ sudo nft list ruleset
table ip filter {
map J_TestMap {
type ipv4_addr : verdict
flags interval
elements = { 172.21.138.0/29 : jump C_TestChain,
172.21.138.8/29 :
jump C_TestChain,
172.21.138.16/28 : jump C_TestChain,
172.21.138.32/29 : jump
C_TestChain }
}
set M_TestMasterSet {
type ipv4_addr
flags interval
elements = { 172.21.138.0/29 }
}
set S_TestSlaveSet {
type ipv4_addr
flags interval
elements = { 172.21.138.8/29, 172.21.138.16/28,
172.21.138.32/29 }
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain vpn_master {
ip saddr vmap @J_TestMap
}
chain C_TestChain {
ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet accept
ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet accept
ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet accept
}
}
