[OpenWrt-Devel] nftables: named counters broken on 18.06.4

Vincent Wiemann vincent.wiemann at ironai.com
Wed Sep 11 12:51:03 EDT 2019 


On 11.09.19 16:25, Salvatore Mesoraca wrote:
> On Tue, 10 Sep 2019 at 16:20, Salvatore Mesoraca <salvatore at samknows.com> wrote:
>>
>> Hi,
>>
>> I'm experiencing a problem with nftables' named counters with OpenWrt 18.06.4 on a NetGear R7800.
>> This is an example of what I get:
>>
>> # uname -a
>> Linux OpenWrt 4.14.131 #0 SMP Thu Jun 27 12:18:52 2019 armv7l GNU/Linux
>> # nft flush ruleset
>> # nft add table inet filter
>> # nft add counter inet filter mycounter
>> # nft add chain inet filter output { type filter hook output priority 0 \; }
>> # nft add rule inet filter output counter name mycounter
>> Error: Could not process rule: No such file or directory
>> add rule inet filter output counter name mycounter
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> # nft list ruleset
>> table inet filter {
>>         counter mycounter {
>>                 packets 0 bytes 0
>>         }
>>
>>         chain output {
>>                 type filter hook output priority 0; policy accept;
>>         }
>> }
>>
>> Running the failing command using strace I can tell that the ENOENT error is received from the kernel via Netlink.
>> It's similar to what I get if I try to reference a non-existent counter, but "mycounter" exists.
>> If I remove "name mycounter" from the command line, it works. Of course it creates an anonymous counter.
>> The message sent via Netlink looks correct, so I think that the problem resides in kernel.
>>
>>
>> On a PC with 4.15 the same command sequence works flawlessly:
>>
>> # nft flush ruleset
>> # nft add table inet filter
>> # nft add counter inet filter mycounter
>> # nft add chain inet filter output { type filter hook output priority 0 \; }
>> # nft add rule inet filter output counter name mycounter
>> # nft list ruleset
>> table inet filter {
>>         counter mycounter {
>>                 packets 0 bytes 0
>>         }
>>
>>         chain output {
>>                 type filter hook output priority 0; policy accept;
>>                 counter name "mycounter"
>>         }
>> }
>>
>> Any ideas?
> 
> Solved.
> For future reference:
> The kernel was missing CONFIG_NFT_OBJREF, without this option you can
> create named counters, but you can't actually use them.


This sounds like a bug/unexpected behavior.It should not be possible to create named references without the kernel supporting
it or at least it should give a clear error message.
It would be nice if you could report this to the netfilter mailing list.

Best,

Vincent

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list