netfilter buglog - Apr 2017 - [Bug 1144] New: set add always returns false or otherwise ends evaluation

https://bugzilla.netfilter.org/show_bug.cgi?id=1144

            Bug ID: 1144
           Summary: set add always returns false or otherwise ends
                    evaluation
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: rwhite at pobox.com

In the following example the counters should both equal at least 2 but the one
predicated on the add is zero.

ASIDE: In my humble opinion the target2 set should be empty, as update
shouldn't add elements, only update them if they are present; but the
notation
in the wiki regarding the only difference between add and update being the
treatment of the timeouts implies that the set update is working correctly or
otherwise always returns true.


table ip example {
    set target1 {
        type ipv4_addr
        flags timeout
        elements = { 8.8.8.8 expires 23h59m53s, 192.168.100.1 expires
23h59m52s}
    }

    set target2 {
        type ipv4_addr
        flags timeout
        elements = { 192.168.100.1 expires 23h59m59s, 8.8.8.8 expires
23h59m53s}
    }

    chain output {
        type filter hook output priority 0; policy accept;
        ct state new counter packets 95 bytes 5702
        ct state new set add ip daddr timeout 1d @target1 counter packets 0
bytes 0
        ct state new set update ip daddr timeout 1d @target2 counter packets 95
bytes 5702
    }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170407/3fa1003f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1144

Liping Zhang <zlpnobody at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zlpnobody at gmail.com

--- Comment #1 from Liping Zhang <zlpnobody at gmail.com> ---
(In reply to Robert White from comment #0)
> In the following example the counters should both equal at least 2 but the
> one predicated on the add is zero.
Can you try this patch?

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 049ad2d..4ce82f8 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -93,7 +93,7 @@ static void nft_dynset_eval(const struct nft_expr *expr,
                return;
        }
 out:
-       if (!priv->invert)
+       if (priv->invert)
                regs->verdict.code = NFT_BREAK;
 }

> ASIDE: In my humble opinion the target2 set should be empty, as update
> shouldn't add elements, only update them if they are present; but the
> notation in the wiki regarding the only difference between add and update
> being the treatment of the timeouts implies that the set update is working
> correctly or otherwise always returns true.
Actually, "add" and "update" will both add new elements. The
biggest difference
between them is that "update" will refresh the timeout of the element,
but
"add" will not.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170415/57daa2a9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1144

Liping Zhang <zlpnobody at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Liping Zhang <zlpnobody at gmail.com> ---
Hi Robert,

I think the real problem is that "set add"'s counter will not be
updated, i.e.
"ct state new set add ip daddr timeout 1d @target1 counter packets 0 bytes
0",and this had been fixed by:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.12-rc1&id=277a292835c196894ef895d5e1fd6170bb916f55

Thanks for your reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170521/e2ee1046/attachment.html>