bugzilla-daemon at netfilter.org
2024-Jan-29 15:53 UTC
[Bug 1733] New: prefix len in a set of ips is wrong in a rule
https://bugzilla.netfilter.org/show_bug.cgi?id=1733
Bug ID: 1733
Summary: prefix len in a set of ips is wrong in a rule
Product: nftables
Version: 0.9.x
Hardware: x86_64
OS: RedHat Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: herecomeswaynebao0811 at gmail.com
Hey there, I found this bug when I am using
https://github.com/ansibleguy/python3-nftables on a redhat 8. The kernel
version "Linux 4.18.0-372.9.1.el8.x86_64 x86_64", nft version
"nftables v0.9.3
(Topsy)"
basically, when I use a set of ips with prefix len to create a rule, some ips
show different prefix vs. my input when i "list chain ip filter
test_chain".
More details:
bug itself:
This is the set of ips i want to set as daddr:
{'set': [{'prefix': {'addr': '172.17.0.0',
'len': 19}}, {'prefix': {'addr':
'10.42.0.0', 'len': 16}}, {'prefix': {'addr':
'100.100.127.0', 'len': 24}},
{'prefix': {'addr': '10.98.112.0', 'len': 20}},
{'prefix': {'addr':
'100.70.64.0', 'len': 18}}, {'prefix': {'addr':
'10.74.0.0', 'len': 17}},
{'prefix': {'addr': '100.100.125.0', 'len':
24}}, {'prefix': {'addr':
'10.218.0.0', 'len': 16}}, {'prefix': {'addr':
'10.74.0.0', 'len': 16}},
{'prefix': {'addr': '10.178.0.0', 'len': 16}},
{'prefix': {'addr':
'10.122.0.0', 'len': 16}}, {'prefix': {'addr':
'100.70.0.0', 'len': 18}},
{'prefix': {'addr': '10.98.8.0', 'len': 22}},
{'prefix': {'addr': '10.66.0.0',
'len': 16}}, {'prefix': {'addr': '10.98.112.0',
'len': 21}}, {'prefix':
{'addr': '10.34.0.0', 'len': 16}}, {'prefix':
{'addr': '10.210.0.0', 'len':
16}}, {'prefix': {'addr': '100.127.0.0', 'len':
16}}, {'prefix': {'addr':
'100.71.0.0', 'len': 18}}, {'prefix': {'addr':
'100.125.0.0', 'len': 16}},
{'prefix': {'addr': '100.71.64.0', 'len': 18}},
{'prefix': {'addr':
'10.35.0.0', 'len': 16}}]}
after I use it to create a rule, then list the chain, for these 3 ips the
output shows
{"prefix": {"addr": "10.34.0.0", "len":
15}} instead of len 16 as in input;
{"prefix": {"addr": "100.70.0.0", "len":
17}} instead of len 18 as in input;
{"prefix": {"addr": "100.71.0.0", "len":
17}} instead of len 18 as in input.
Looks like it happen when the trailing bit is 0.
one test to figure out what trigger the bug:
so I tried another set of input
{
"set": [
{"prefix": {"addr":
"10.42.0.0", "len":
16}},
{"prefix": {"addr":
"100.70.0.0",
"len": 18}},
{"prefix": {"addr":
"10.34.0.0", "len":
16}},
]
},
this time the len of all ips are correct in the output. So i don't actually
know in what condition which ips could have wrong len in the output.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240129/cf9ca6cf/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jan-31 13:33 UTC
[Bug 1733] prefix len in a set of ips is wrong in a rule
https://bugzilla.netfilter.org/show_bug.cgi?id=1733
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |phil at nwl.cc
Resolution|--- |INVALID
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
You're adding elements 100.71.0.0/18 and 100.71.64.0/18. Those add up to
100.71.0.0/17, nft simply merged the two elements. It's a feature, not a
bug!
:)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240131/b69c15ba/attachment.html>