Page MenuHomePhabricator
Create Task
Maniphest T346432

cloudgw: syntax error in nftables config if using sets with intervals and some element overlaps an interval
Closed, ResolvedPublic
Actions

Description

I detected this error:

aborrero@cloudgw1001:~ $ sudo nft -f /etc/nftables/main.nft
In file included from /etc/nftables/main.nft:9:1-36:
/etc/nftables/001_cloudgw_puppet.nft:30:21-33: Error: conflicting intervals specified
                    185.15.56.161 ,
                    ^^^^^^^^^^^^^~
In file included from /etc/nftables/main.nft:9:1-36:
/etc/nftables/001_cloudgw_puppet.nft:9:9-20: Error: Could not process rule: File exists
    set dmz_cidr_set {
        ^^^^^^^^^^^^

This is because the set contains both 185.15.56.161 and 185.15.56.0/24, and they overlap.

Details

SubjectRepoBranchLines +/-
Add auto-merge to nftables sets where neededoperations/puppetproduction+3 -0
cloudgw: enable set auto-mergeoperations/puppetproduction+4 -0
Customize query in gerrit

Event Timeline

aborrero created this task.Sep 15 2023, 10:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 15 2023, 10:30 AM
aborrero changed the task status from Open to In Progress.Sep 15 2023, 10:30 AM
aborrero triaged this task as High priority.
aborrero moved this task from Backlog to Doing on the User-aborrero board.
Stashbot added a comment.Sep 15 2023, 10:32 AM

Mentioned in SAL (#wikimedia-cloud) [2023-09-15T10:32:57Z] <arturo> faiolver cloudgw1001 into cloudgw1002, investigating a nftables syntax error (T346432)

gerritbot added a comment.Sep 15 2023, 10:38 AM

Change 957895 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] cloudgw: enable set auto-merge

https://gerrit.wikimedia.org/r/957895

gerritbot added a project: Patch-For-Review.Sep 15 2023, 10:38 AM
aborrero added a comment.Sep 15 2023, 10:52 AM

More information: https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets_specifications and https://manpages.debian.org/testing/nftables/nft.8.en.html#SETS

gerritbot added a comment.Sep 15 2023, 11:06 AM

Change 957901 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add auto-merge to nftables sets where needed

https://gerrit.wikimedia.org/r/957901

gerritbot added a comment.Sep 15 2023, 11:08 AM

Change 957895 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] cloudgw: enable set auto-merge

https://gerrit.wikimedia.org/r/957895

aborrero closed this task as Resolved.Sep 15 2023, 11:26 AM
aborrero claimed this task.
gerritbot added a comment.Sep 15 2023, 11:57 AM

Change 957901 merged by Muehlenhoff:

[operations/puppet@production] Add auto-merge to nftables sets where needed

https://gerrit.wikimedia.org/r/957901

Maintenance_bot removed a project: Patch-For-Review.Sep 15 2023, 12:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL