Created attachment 169681 [details] Table after execution script Hello, I am testing "nftables" and get a kernel crash while deleting a table. The first problem arose when I try to "flush" a table before executing a script file : ENTREE.dat:5:1-2: Error: Could not process rule: File exists table ip NIV_UN { ^^ ENTREE.dat:5:1-2: Error: Could not process rule: File exists table ip NIV_UN { ^^ The script begins with : flush table NIV_UN; table ip NIV_UN { set PORT_TCP_IN { type inet_service include "xxxxx.set" } ............ If I "manually" flush the table with "nft flush table NIV_UN" all is good and the content of the table is flushed, but remains in a state where no modify is possible. The command "nft flush table NIV_UN" works and the result seems OK (cf FILE 1), but if I try to re-execute the script I get the same error. If I try to delete the table with "nft delete table NIV_UN" I get a kernel crash which is not visible in the logs, the only way I found is to take a photo of the screen ... Files attached : NFTLIST.txt : right after execution NFTLIST_FLUSH.txt : after execution a "flush" screen_img.jpg
Created attachment 169691 [details] Table after flushing
Created attachment 169701 [details] crash screen image
Hello, Tested with 3.19.1, same crash. Regards
Hello, Workaround (but the whole update will not be "atomic") : To do before the script : - flush the table - delete the set with "nft delete set ...." Regards PS: same crash with kernel 3.18.9
I think this is similar to: https://bugzilla.netfilter.org/show_bug.cgi?id=1004 Could you try this fix and confirm? http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=02263db00b6cb98701332aa257c07ca549c2324b This is already traveling to Linus' tree, it should show up there in 4.0-rc4. I'll pass this patch to -stable (3.18 and 3.19) asap.
Hello, I have had some problem to access Internet from this morning until the middle or afternoon ... I manage to get the patch and recompile the 4.0.0-rc2 kernel with success. The patch is working, I never get the crash again. One remark with "flush table ..." : - all chains are always visible (but empty), but you "recreate" them without problems. - the sets are not emptied and can't be "recreated", you will have to "delete" them and create them again. Regards JP P
Probably you prefer to use flush ruleset it is available since 3.18, and it gets rid of everything in the existing configuration. http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
Hello, Thanks, but flush ruleset could be "too much" if your firewall is done with some different scripts eg : one for every kind of table, every script should "flush" without interfering with others, updates would be more "atomic". Regards JP P