bugzilla-daemon at netfilter.org
2017-Apr-07 11:02 UTC
[Bug 1144] New: set add always returns false or otherwise ends evaluation
https://bugzilla.netfilter.org/show_bug.cgi?id=1144 Bug ID: 1144 Summary: set add always returns false or otherwise ends evaluation Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: rwhite at pobox.com In the following example the counters should both equal at least 2 but the one predicated on the add is zero. ASIDE: In my humble opinion the target2 set should be empty, as update shouldn't add elements, only update them if they are present; but the notation in the wiki regarding the only difference between add and update being the treatment of the timeouts implies that the set update is working correctly or otherwise always returns true. table ip example { set target1 { type ipv4_addr flags timeout elements = { 8.8.8.8 expires 23h59m53s, 192.168.100.1 expires 23h59m52s} } set target2 { type ipv4_addr flags timeout elements = { 192.168.100.1 expires 23h59m59s, 8.8.8.8 expires 23h59m53s} } chain output { type filter hook output priority 0; policy accept; ct state new counter packets 95 bytes 5702 ct state new set add ip daddr timeout 1d @target1 counter packets 0 bytes 0 ct state new set update ip daddr timeout 1d @target2 counter packets 95 bytes 5702 } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170407/3fa1003f/attachment.html>
bugzilla-daemon at netfilter.org
2017-Apr-15 14:09 UTC
[Bug 1144] set add always returns false or otherwise ends evaluation
https://bugzilla.netfilter.org/show_bug.cgi?id=1144 Liping Zhang <zlpnobody at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zlpnobody at gmail.com --- Comment #1 from Liping Zhang <zlpnobody at gmail.com> --- (In reply to Robert White from comment #0)> In the following example the counters should both equal at least 2 but the > one predicated on the add is zero.Can you try this patch? diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index 049ad2d..4ce82f8 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -93,7 +93,7 @@ static void nft_dynset_eval(const struct nft_expr *expr, return; } out: - if (!priv->invert) + if (priv->invert) regs->verdict.code = NFT_BREAK; }> ASIDE: In my humble opinion the target2 set should be empty, as update > shouldn't add elements, only update them if they are present; but the > notation in the wiki regarding the only difference between add and update > being the treatment of the timeouts implies that the set update is working > correctly or otherwise always returns true.Actually, "add" and "update" will both add new elements. The biggest difference between them is that "update" will refresh the timeout of the element, but "add" will not. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170415/57daa2a9/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-21 06:06 UTC
[Bug 1144] set add always returns false or otherwise ends evaluation
https://bugzilla.netfilter.org/show_bug.cgi?id=1144 Liping Zhang <zlpnobody at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Liping Zhang <zlpnobody at gmail.com> --- Hi Robert, I think the real problem is that "set add"'s counter will not be updated, i.e. "ct state new set add ip daddr timeout 1d @target1 counter packets 0 bytes 0",and this had been fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.12-rc1&id=277a292835c196894ef895d5e1fd6170bb916f55 Thanks for your reporting. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170521/e2ee1046/attachment.html>
Maybe Matching Threads
- [Bug 1096] New: Kernel oops when inserting an element into a map
- [Bug 1127] New: running nft command creates lag for forwarded packets
- [Bug 1141] New: trace aborts using pkttype on ingress
- [PATCH] ioemu-remote: ACPI S3 state wake up
- combine the data frames into comma separated list.