netfilter buglog - Oct 2023 - [Bug 1717] New: Listing a set may or may not show the size of a set

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

            Bug ID: 1717
           Summary: Listing a set may or may not show the size of a set
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: kfm at plushkava.net

Both of the following examples concern the exact same loaded ruleset.

Here is an example of listing a set where the size is not shown.

# nft -t list set netdev filter block_bogons | awk '$1 == "size" {
print $1, $2
}'

Here is an example of listing a different set, where the size is shown.

# nft -t list set netdev filter dropped | awk '$1 == "size" {
print $1, $2 }'
size 65535

Neither set was defined with an explicit size, which begets the question: why
does nft decide to report the size for one set and yet not the other? I think
that it should behave consistently, perhaps by always including the size.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/77086a08/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/a8c14421/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1718

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/9006c8f7/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |minor

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/47cfff3d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Currently, size is set to 65535 if the set is dynamic AND it is used by the
ruleset.

I have a kernel patch here that I plan to test and then submit:

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 29c651804cb2..49c068d9b209 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4998,6 +4998,9 @@ static int nf_tables_newset(struct sk_buff *skb, const
struct nfnl_info *info,
                return -EINVAL;
        }

+       if (flags & NFT_SET_EVAL && !desc.size)
+               desc.size = 0xffff;
+
        if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
                desc.expr = true;

This sets on the cap earlier, by the time the dynamic set is created.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/9eca4c51/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1717

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---


*** This bug has been marked as a duplicate of bug 1718 ***

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231127/1408b7a2/attachment.html>