bugzilla-daemon at netfilter.org
2018-Mar-25 20:36 UTC
[Bug 1237] New: sets: timeout > 24d20h31m23s becomes 49d17h2m47s
https://bugzilla.netfilter.org/show_bug.cgi?id=1237
Bug ID: 1237
Summary: sets: timeout > 24d20h31m23s becomes 49d17h2m47s
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: debe at galliera.it
I would like to use a timeout of 30 days for elements in a set but it
seems there is a some kind of problem above 24d20h31m23s.
# nft add table foo
# nft add set foo bar { type ether_addr\; timeout 24d20h31m23s \; }
# nft list set foo bar
table ip foo {
set bar {
type ether_addr
timeout 24d20h31m23s
}
}
# nft delete set foo bar
# nft add set foo bar { type ether_addr\; timeout 24d20h31m24s \; }
# nft list set foo bar
table ip foo {
set bar {
type ether_addr
timeout 49d17h2m47s
}
}
It seems that every timeout > 24d20h31m23s is interpreted as 49d17h2m47s.
I am experiencing this with both:
1. nftables compiled from git 2cb7425 and libnftnl d58ea1f
2. and Debian nftables 0.8.3-1~bpo9+1, libnftnl7 1.0.9-2~bpo9+1
--
thank you,
Marco
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180325/b58824e4/attachment.html>
bugzilla-daemon at netfilter.org
2018-Mar-25 21:23 UTC
[Bug 1237] sets: timeout > 24d20h31m23s becomes 49d17h2m47s
https://bugzilla.netfilter.org/show_bug.cgi?id=1237
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|pablo at netfilter.org |fw at strlen.de
CC| |fw at strlen.de
--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to Marco De Benedetto from comment #0)> I would like to use a timeout of 30 days for elements in a set but it
> seems there is a some kind of problem above 24d20h31m23s.
Indeed, this is a kernel bug. nft uses msecs_to_jiffies which treats values
<
0
as "infinity", 24d20h31m23s is 2147483000 msecs and still smaller
than
INT_MAX, 1 second more causes integer overflow.
nft timeout handling also has a problem with 32bit systems, as jiffies is only
32bit. We should probably use "u64" instead of "long" and
have gc task use
time_is_before_eq_jiffies64().
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180325/9427662a/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-09 12:50 UTC
[Bug 1237] sets: timeout > 24d20h31m23s becomes 49d17h2m47s
https://bugzilla.netfilter.org/show_bug.cgi?id=1237 --- Comment #2 from Florian Westphal <fw at strlen.de> --- Created attachment 533 --> https://bugzilla.netfilter.org/attachment.cgi?id=533&action=edit proposed patch to add longer, consistent timeouts to nftables This patch allow for much longer timeouts and makes nft behave consistent on 32 and 64 bit arches. I will submit the patch once nf-next tree opens up again. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180409/2cd04d7b/attachment.html>
bugzilla-daemon at netfilter.org
2018-Sep-06 10:10 UTC
[Bug 1237] sets: timeout > 24d20h31m23s becomes 49d17h2m47s
https://bugzilla.netfilter.org/show_bug.cgi?id=1237
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #3 from Florian Westphal <fw at strlen.de> ---
Fixed in Linux 4.18 via
commit 8e1102d5a1596dca10f51e3de800809944f8816d
netfilter: nf_tables: support timeouts larger than 23 days
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180906/2b91952b/attachment.html>