netfilter buglog - Nov 2020 - [Bug 1482] New: adjacent /31 IPs in ipset

https://bugzilla.netfilter.org/show_bug.cgi?id=1482

            Bug ID: 1482
           Summary: adjacent /31 IPs in ipset
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: martin at netconfigs.com

CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
configured using firewalld

Apparently, a subtle bug when an ipset contains individual IPv4 addresses where
two are adjacent in a /31:

        set larcs4 {
                type ipv4_addr
                flags interval
                elements = { ...,
                             82.152.159.40, 82.152.159.41,
                             ... }
        }

The membership of the ipset are used to allow access to 5071/tcp

        chain filter_IN_public_allow {
                ip saddr @larcs4 tcp dport 5071 ct state { new, untracked }
accept
        }

In this scenario, packets from the earlier IP are accepted,
however, packets from the latter IP are rejected. 

15:15:58.658139 IP 82.152.159.41.48327 > 51.195.193.238.5071: Flags [S], seq
3108250724, win 29200, options [mss 1460,sackOK,TS val 1250822659 ecr
0,nop,wscale 7], length 0
15:15:58.658180 IP 51.195.193.238 > 82.152.159.41: ICMP host 51.195.193.238
unreachable - admin prohibited filter, length 68

If I remove the earlier IP:

        nft delete element inet firewalld larcs4 { 82.152.159.40 }

then packets from the latter IP are accepted.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201115/2ae7907d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1482

Martin Meadows <martin at netconfigs.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Martin Meadows <martin at netconfigs.com> ---
My bad - I should have used firewall-cmd to create the ipset as type hash:ip
not hash:net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210122/7a7bf356/attachment.html>