netfilter buglog - May 2018 - [Bug 1258] New: ipset save can result in add ... timeout 0 line

https://bugzilla.netfilter.org/show_bug.cgi?id=1258

            Bug ID: 1258
           Summary: ipset save can result in add ... timeout 0 line
           Product: ipset
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: default
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: alexhacker64 at gmail.com

ipset save command can result in "add ... timeout 0" line if the entry
is about
to expire, which will keep the entry in table permanently upon reload

how to reproduce: add an entry to set with timeout and do ipset save each
second, when the entry is about to expire there is 1 second window when ipset
save will produce "timeout 0" entry.

ipset v6.29, protocol version: 6

while the probability of firing ipset save for some reason at the exact second
when the entry is about to expire is small, it may happen if amount of entries
in table is large upon reboot save, and may slowly but inevitably pollute table
with set timeout. 
another possibility is if ipset save timing is somehow aligned / predicted by
attacker so that temporary entry in table becomes permanent.

because of small impact and probability of possible problems i think this is
minor bug, however it should be absolutely trivial to fix.

best possible solution is to add "timeout 1" entry instead for such
items or do
not add them in ipset save output at all.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180528/de698a30/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1258

Jozsef Kadlecsik <kadlec at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kadlec at netfilter.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Jozsef Kadlecsik <kadlec at netfilter.org> ---
Yes, it's a valid concern and I fixed it with the proposed solution:
the timing out entries are listed with "timeout 1" value.
Thanks,
Jozsef

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180601/f4aaf2b6/attachment.html>