bugzilla-daemon at netfilter.org
2017-Jan-19 16:35 UTC
[Bug 1114] New: set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114
Bug ID: 1114
Summary: set: Can't add elements after flushing a full set with
size description
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: elise.lennion at gmail.com
Here an example of this bug.
$ sudo nft add table x
$ sudo nft add set x s {type ipv4_addr\; size 2\;}
$ sudo nft add element x s {1.1.1.1}
$ sudo nft add element x s {1.1.1.2}
$ sudo nft flush set x s
$ sudo nft add element x s {1.1.1.1}
<cmdline>:1:1-26: Error: Could not process rule: Too many open files in
system
add element x s {1.1.1.1}
^^^^^^^^^^^^^^^^^^^^^^^^^^
The last commit in libnftnl repo is "7e549c5 examples: Remove the use of
nftnl_mnl_batch_put()"
The last commit in nftables repo is "3eb488 tests: py: Use stateless option
on
tests"
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170119/5c54d93f/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-19 16:40 UTC
[Bug 1114] set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
This kernel patch fixes the problem:
http://patchwork.ozlabs.org/patch/716751/
Please, test it and confirm, thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170119/23b9464b/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-19 21:57 UTC
[Bug 1114] set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114
--- Comment #2 from Elise Lennion <elise.lennion at gmail.com> ---
I had this patch applied and the problem still persists here.
The behaviour looks like the number of elements in a set isn't decreased
after
flushing a set, even when all elements are different:
$ sudo nft add table x
$ sudo nft add set x s {type ipv4_addr\; size 2\;}
$ sudo nft add element x s {1.1.1.1}
$ sudo nft flush set x s
$ sudo nft add element x s {1.1.1.2}
$ sudo nft add element x s {1.1.1.3}
<cmdline>:1:1-26: Error: Could not process rule: Too many open files in
system
add element x s {1.1.1.3}
^^^^^^^^^^^^^^^^^^^^^^^^^^
If I delete the elements using 'delete' then it works as expected:
$ sudo nft add table x
$ sudo nft add set x s {type ipv4_addr\; size 2\;}
$ sudo nft add element x s {1.1.1.1}
$ sudo nft delete element x s {1.1.1.1}
$ sudo nft add element x s {1.1.1.2}
$ sudo nft add element x s {1.1.1.3}
No error
I tracked the number of elements in the set, when removing both by
'delete' and
by 'flush', and the behaviour in nf_tables_commit() is the same, using
both
commands the number of elements is the expected.
However, the command 'flush' decreases 'set->nelems' but
doesn't make room for
new elements, don't know what's wrong.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170119/6b2fd323/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-23 13:45 UTC
[Bug 1114] set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Elise Lennion from comment #2)> I had this patch applied and the problem still persists here. > > The behaviour looks like the number of elements in a set isn't decreased > after flushing a set, even when all elements are different: > > $ sudo nft add table x > $ sudo nft add set x s {type ipv4_addr\; size 2\;} > $ sudo nft add element x s {1.1.1.1} > $ sudo nft flush set x s > $ sudo nft add element x s {1.1.1.2} > $ sudo nft add element x s {1.1.1.3} > > <cmdline>:1:1-26: Error: Could not process rule: Too many open files in > system > add element x s {1.1.1.3} > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > If I delete the elements using 'delete' then it works as expected: > > $ sudo nft add table x > $ sudo nft add set x s {type ipv4_addr\; size 2\;} > $ sudo nft add element x s {1.1.1.1} > $ sudo nft delete element x s {1.1.1.1} > $ sudo nft add element x s {1.1.1.2} > $ sudo nft add element x s {1.1.1.3} > No error > > I tracked the number of elements in the set, when removing both by 'delete' > and by 'flush', and the behaviour in nf_tables_commit() is the same, using > both commands the number of elements is the expected. > > However, the command 'flush' decreases 'set->nelems' but doesn't make room > for new elements, don't know what's wrong.OK, flushing is a different problem, although related yes. http://patchwork.ozlabs.org/patch/717652/ http://patchwork.ozlabs.org/patch/717653/ You need these two patches to fix the set flush scenario. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170123/3305bc9a/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-24 18:45 UTC
[Bug 1114] set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- http://patchwork.ozlabs.org/patch/719310/ http://patchwork.ozlabs.org/patch/719309/ http://patchwork.ozlabs.org/patch/719311/ New batch addressing problems with set size checks. Previous patches did not fix corner cases. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170124/8914cf7a/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-27 20:15 UTC
[Bug 1114] set: Can't add elements after flushing a full set with size description
https://bugzilla.netfilter.org/show_bug.cgi?id=1114
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170127/f201113d/attachment.html>
Reasonably Related Threads
- [Bug 1118] New: nft: nft -f and nft list ruleset use different sets of service -> port mappings
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval
- [Bug 1410] New: STATELESS, rules with notrack into a map
- [Bug 1431] New: flush set doesn't work as expected in script
- [Bug 1725] New: Updating and destroying set elements