bugzilla-daemon at netfilter.org
2020-Apr-05 12:14 UTC
[Bug 1415] New: adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Bug ID: 1415
Summary: adjacent ip ranges in vmap causing error
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: generic_dummy at t-online.de
The following snippets cause a 'File exists' error:
ip saddr vmap {
10.0.1.0/24 : accept,
10.0.2.0/24 : drop
}
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.2.0-10.0.2.255 : drop
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200405/b220d735/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-05 12:19 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #1 from McFly <generic_dummy at t-online.de> ---
while shifting the begin of the second ip range by one is not causing any
error:
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.2.1-10.0.2.255 : drop
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200405/53f9908b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-08 09:45 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please give a try to this patch:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200408/2b1a36b4/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Apr-08 09:46 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- Please give a try to this patch: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=72239f2795fab9a58633bd0399698ff7581534a3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200408/14c0b804/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-08 16:50 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #4 from McFly <generic_dummy at t-online.de> ---
The patch apparantly resolves the reported problem, however seems to have other
issues. The following snippet is causing a segmentation fault:
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.1.1-10.0.2.255 : drop
}
The patch was applied to kernel 5.6.3 and nftables 0.9.4 was used. I will
cross-check with an unpatched kernel.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200408/51858a8c/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-08 17:25 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #5 from McFly <generic_dummy at t-online.de> --- I did some further checks: 1. the problem with the adjacent ip ranges occurs: kernel 5.5.10 -> NO -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200408/b920e9f4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-08 17:35 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #6 from McFly <generic_dummy at t-online.de> --- I did some further checks: 1. the problem with the adjacent ip ranges occurs (causing the 'File exists' error): kernel 5.5.10 -> no kernel 5.6.2 -> yes kernel 5.6.3 -> yes kernel 5.6.3 with patch -> no i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the patch is fixing it. 2. the problem with overlapping ip ranges (causing the segmentation fault) occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it Maybe distinct problems. Shall I report this as a separate bug? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200408/d0d83607/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-11 19:37 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to McFly from comment #6)> I did some further checks: > > 1. the problem with the adjacent ip ranges occurs (causing the 'File exists' > error): > kernel 5.5.10 -> no > kernel 5.6.2 -> yes > kernel 5.6.3 -> yes > kernel 5.6.3 with patch -> no > > i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the > patch is fixing it.Thanks for confirming that the patch that is flying upstream is fixing the issue.> 2. the problem with overlapping ip ranges (causing the segmentation fault) > occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it > > Maybe distinct problems. Shall I report this as a separate bug?No need for this, patch has been posted on the mailing list: https://patchwork.ozlabs.org/patch/1269369/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200411/96fd857f/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 21:15 UTC
[Bug 1415] adjacent ip ranges in vmap causing error
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #8 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Merged upstream, closing.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/1d921460/attachment.html>
Apparently Analagous Threads
- [Bug 1417] New: mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine
- [Bug 1465] New: [vmap] ct state concatenation not working
- [Bug 1120] New: nf_tables_check_loops error on adding element to vmap
- [Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"
- [Bug 452] DNAT to internal network don't work with source routing and 2 uplinks