bugzilla-daemon at netfilter.org
2020-Aug-13 16:01 UTC
[Bug 1449] New: nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 Bug ID: 1449 Summary: nft ipv4 set with interval issue Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: blocker Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at d9c.eu Tested with git HEAD as of August 13th: pacman -Q | grep nft libnftnl-git 1.1.7.r4.g58e7e9c-1 nftables-git 0.9.6.r42.g0864c2d4-1 on uname -a Linux iArchEFI 5.7.12-arch1-1 #1 SMP PREEMPT Fri, 31 Jul 2020 17:38:22 +0000 x86_64 GNU/Linux Consider the following series of commands: flush ruleset add table ip filter add set ip filter myset { type ipv4_addr ; flags interval ;} add element ip filter myset { 61.37.150.6/32, 114.237.203.25/32, 82.113.66.69/32, 36.89.143.21/32, 58.57.4.238/32, 117.69.147.239/32, 103.221.253.242/32, 49.88.218.208/32, 88.203.202.102/32, 175.106.18.201/32, 201.140.110.78/32, 178.21.206.74/32, 202.137.155.47/32, 103.151.122.57/32, 158.140.137.39/32, 78.128.113.116/32, 109.162.241.35/32, 49.88.119.119/32, 202.79.46.153/32, 186.10.0.116/32, 45.143.223.106/32, 61.14.228.134/32, 103.3.225.114/32 } delete element ip filter myset { 175.106.18.201/32 } delete element ip filter myset { 103.221.253.242/32, 117.69.147.239/32 } list ruleset add element ip filter myset { 117.212.174.157/32 } add element ip filter myset { 118.163.135.18/32 } If pasting them into nft -i, then the following error happens: # nft> flush ruleset # ... # nft> list ruleset # table ip filter { # set myset { # type ipv4_addr # flags interval # elements = { 36.89.143.21, 45.143.223.106, # 49.88.119.119, 49.88.218.208, # 58.57.4.238, 61.14.228.134, # 61.37.150.6, 78.128.113.116, # 82.113.66.69, 88.203.202.102, # 103.3.225.114, 103.151.122.57, # 109.162.241.35, 114.237.203.25, # 158.140.137.39, 178.21.206.74, # 186.10.0.116, 201.140.110.78, # 202.79.46.153, 202.137.155.47 } # } # } # nft> add element ip filter myset { 117.212.174.157/32 } # Error: Could not process rule: File exists # add element ip filter myset { 117.212.174.157/32 } # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft> add element ip filter myset { 118.163.135.18/32 } # Error: Could not process rule: File exists # add element ip filter myset { 118.163.135.18/32 } # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ What is happening here? Clearly, there is no interval larger than /32 in this set and none of the IPs are starting with 117 or 118. If this series of commands is executed all together via nft -f, then everything looks to work as expected: $ nft -f nftall.nft $ nft list ruleset table ip filter { set myset { type ipv4_addr flags interval elements = { 36.89.143.21, 45.143.223.106, 49.88.119.119, 49.88.218.208, 58.57.4.238, 61.14.228.134, 61.37.150.6, 78.128.113.116, 82.113.66.69, 88.203.202.102, 103.3.225.114, 103.151.122.57, 109.162.241.35, 114.237.203.25, 117.212.174.157, 118.163.135.18, 158.140.137.39, 178.21.206.74, 186.10.0.116, 201.140.110.78, 202.79.46.153, 202.137.155.47 } } } Cheers, Andreas -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200813/293fac06/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 11:34 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Could you give a try to this kernel patch? http://git.netfilter.org/nftables/commit/?id=8eece29518257536711657c42047f14e22a7e8f2 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/2f425961/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Aug-27 03:37 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200827/8c99ef4e/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 23:58 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.netfilter. | |org/show_bug.cgi?id=1438 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/b80f25a1/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 00:18 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1461 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/e98694ec/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-08 14:13 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- This looks like an issue related to: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 follow up fixes to address this are: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=340eaff651160234bdbce07ef34b92a8e45cd540 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=33d077996a87175b155fe88030e8fec7ca76327e https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=226a88de473e475cb9f993682a1c7d0c2b451ad8 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=0726763043dc10dd4c12481f050b1a5ef8f15410 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200908/db3994a0/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-08 14:14 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #2)> This looks like an issue related to: > > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3Sorry, actually this is the original patch that introduces overlap checks: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=7c84d41416d836ef7e533bd4d64ccbdf40c5ac70> follow up fixes to address this are: > > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=340eaff651160234bdbce07ef34b92a8e45cd540 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=33d077996a87175b155fe88030e8fec7ca76327e > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=226a88de473e475cb9f993682a1c7d0c2b451ad8 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=0726763043dc10dd4c12481f050b1a5ef8f15410-- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200908/22f70e31/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-10 00:51 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |fw at strlen.de Status|NEW |RESOLVED --- Comment #4 from Florian Westphal <fw at strlen.de> --- I cannot reproduce this anymore after picking 226a88de473e475cb9f993682a1c7d0c2b451ad8 and 0726763043dc10dd4c12481f050b1a5ef8f15410 into 5.7.19. Unfortunately 5.7.y is EOL, but these patches are in current 5.8.y. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200910/02966fe2/attachment.html>
Seemingly Similar Threads
- [Bug 1734] New: nft set with auto-merge json import/export
- [Bug 1438] New: nft generates wrong intervals for sets with auto-merge
- Is it possible to retrieve Non blocking socket writeable status of a unix channel device ?
- [Bug 1180] New: Can't create a set with both timeout and interval flags at the same time
- [Bug 1417] New: mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine