bugzilla-daemon at netfilter.org
2020-Aug-13 16:01 UTC
[Bug 1449] New: nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449
Bug ID: 1449
Summary: nft ipv4 set with interval issue
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: blocker
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at d9c.eu
Tested with git HEAD as of August 13th:
pacman -Q | grep nft
libnftnl-git 1.1.7.r4.g58e7e9c-1
nftables-git 0.9.6.r42.g0864c2d4-1
on
uname -a
Linux iArchEFI 5.7.12-arch1-1 #1 SMP PREEMPT Fri, 31 Jul 2020 17:38:22 +0000
x86_64 GNU/Linux
Consider the following series of commands:
flush ruleset
add table ip filter
add set ip filter myset { type ipv4_addr ; flags interval ;}
add element ip filter myset { 61.37.150.6/32, 114.237.203.25/32,
82.113.66.69/32, 36.89.143.21/32, 58.57.4.238/32, 117.69.147.239/32,
103.221.253.242/32, 49.88.218.208/32, 88.203.202.102/32, 175.106.18.201/32,
201.140.110.78/32, 178.21.206.74/32, 202.137.155.47/32, 103.151.122.57/32,
158.140.137.39/32, 78.128.113.116/32, 109.162.241.35/32, 49.88.119.119/32,
202.79.46.153/32, 186.10.0.116/32, 45.143.223.106/32, 61.14.228.134/32,
103.3.225.114/32 }
delete element ip filter myset { 175.106.18.201/32 }
delete element ip filter myset { 103.221.253.242/32, 117.69.147.239/32 }
list ruleset
add element ip filter myset { 117.212.174.157/32 }
add element ip filter myset { 118.163.135.18/32 }
If pasting them into nft -i, then the following error happens:
# nft> flush ruleset
# ...
# nft> list ruleset
# table ip filter {
# set myset {
# type ipv4_addr
# flags interval
# elements = { 36.89.143.21, 45.143.223.106,
# 49.88.119.119, 49.88.218.208,
# 58.57.4.238, 61.14.228.134,
# 61.37.150.6, 78.128.113.116,
# 82.113.66.69, 88.203.202.102,
# 103.3.225.114, 103.151.122.57,
# 109.162.241.35, 114.237.203.25,
# 158.140.137.39, 178.21.206.74,
# 186.10.0.116, 201.140.110.78,
# 202.79.46.153, 202.137.155.47 }
# }
# }
# nft> add element ip filter myset { 117.212.174.157/32 }
# Error: Could not process rule: File exists
# add element ip filter myset { 117.212.174.157/32 }
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft> add element ip filter myset { 118.163.135.18/32 }
# Error: Could not process rule: File exists
# add element ip filter myset { 118.163.135.18/32 }
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What is happening here? Clearly, there is no interval larger than /32 in this
set and none of the IPs are starting with 117 or 118.
If this series of commands is executed all together via nft -f, then everything
looks to work as expected:
$ nft -f nftall.nft
$ nft list ruleset
table ip filter {
set myset {
type ipv4_addr
flags interval
elements = { 36.89.143.21, 45.143.223.106,
49.88.119.119, 49.88.218.208,
58.57.4.238, 61.14.228.134,
61.37.150.6, 78.128.113.116,
82.113.66.69, 88.203.202.102,
103.3.225.114, 103.151.122.57,
109.162.241.35, 114.237.203.25,
117.212.174.157, 118.163.135.18,
158.140.137.39, 178.21.206.74,
186.10.0.116, 201.140.110.78,
202.79.46.153, 202.137.155.47 }
}
}
Cheers,
Andreas
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200813/293fac06/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-24 11:34 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Could you give a try to this kernel patch? http://git.netfilter.org/nftables/commit/?id=8eece29518257536711657c42047f14e22a7e8f2 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200824/2f425961/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Aug-27 03:37 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200827/8c99ef4e/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 23:58 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.netfilter.
| |org/show_bug.cgi?id=1438
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/b80f25a1/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 00:18 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1461
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/e98694ec/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-08 14:13 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- This looks like an issue related to: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 follow up fixes to address this are: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=340eaff651160234bdbce07ef34b92a8e45cd540 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=33d077996a87175b155fe88030e8fec7ca76327e https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=226a88de473e475cb9f993682a1c7d0c2b451ad8 https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=0726763043dc10dd4c12481f050b1a5ef8f15410 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200908/db3994a0/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-08 14:14 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #2)> This looks like an issue related to: > > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3Sorry, actually this is the original patch that introduces overlap checks: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/netfilter/nft_set_rbtree.c?id=7c84d41416d836ef7e533bd4d64ccbdf40c5ac70> follow up fixes to address this are: > > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=72239f2795fab9a58633bd0399698ff7581534a3 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=340eaff651160234bdbce07ef34b92a8e45cd540 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=33d077996a87175b155fe88030e8fec7ca76327e > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=226a88de473e475cb9f993682a1c7d0c2b451ad8 > https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/net/ > netfilter/nft_set_rbtree.c?id=0726763043dc10dd4c12481f050b1a5ef8f15410-- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200908/22f70e31/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-10 00:51 UTC
[Bug 1449] nft ipv4 set with interval issue
https://bugzilla.netfilter.org/show_bug.cgi?id=1449
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
CC| |fw at strlen.de
Status|NEW |RESOLVED
--- Comment #4 from Florian Westphal <fw at strlen.de> ---
I cannot reproduce this anymore after picking
226a88de473e475cb9f993682a1c7d0c2b451ad8
and
0726763043dc10dd4c12481f050b1a5ef8f15410
into 5.7.19. Unfortunately 5.7.y is EOL, but these patches are in current
5.8.y.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200910/02966fe2/attachment.html>
Maybe Matching Threads
- [Bug 1734] New: nft set with auto-merge json import/export
- [Bug 1438] New: nft generates wrong intervals for sets with auto-merge
- Is it possible to retrieve Non blocking socket writeable status of a unix channel device ?
- [Bug 1180] New: Can't create a set with both timeout and interval flags at the same time
- [Bug 1417] New: mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine