bugzilla-daemon at netfilter.org
2023-Oct-25 04:49 UTC
[Bug 1718] New: The nft(8) manual does not explain how sets are sized
https://bugzilla.netfilter.org/show_bug.cgi?id=1718
Bug ID: 1718
Summary: The nft(8) manual does not explain how sets are sized
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: kfm at plushkava.net
The manual explains the purpose of the "size" keyword, with the
synopsis for
"add set" indicating that the keyword is optional by showing it within
square
brackets. However, the manual does not explain how the set is sized in the
absence of the keyword. As far as I can tell, the default is 65535, unless the
initial declaration includes a greater number of elements. In any case, it
would be preferable for the manual to document the intended behaviour.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/06b2e812/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 04:50 UTC
[Bug 1718] The nft(8) manual does not explain how sets are sized
https://bugzilla.netfilter.org/show_bug.cgi?id=1718
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugzilla.netfilter.
| |org/show_bug.cgi?id=1717
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/083a045b/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 04:50 UTC
[Bug 1718] The nft(8) manual does not explain how sets are sized
https://bugzilla.netfilter.org/show_bug.cgi?id=1718
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1461
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/f9dc35e0/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 11:24 UTC
[Bug 1718] The nft(8) manual does not explain how sets are sized
https://bugzilla.netfilter.org/show_bug.cgi?id=1718
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Currently, size is set to 65535 if the set is dynamic AND it is used by the
ruleset.
I have a kernel patch here that I plan to test and then submit:
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 29c651804cb2..49c068d9b209 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4998,6 +4998,9 @@ static int nf_tables_newset(struct sk_buff *skb, const
struct nfnl_info *info,
return -EINVAL;
}
+ if (flags & NFT_SET_EVAL && !desc.size)
+ desc.size = 0xffff;
+
if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
desc.expr = true;
This sets on the cap earlier, by the time the dynamic set is created.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/ea885319/attachment.html>
bugzilla-daemon at netfilter.org
2023-Nov-27 11:45 UTC
[Bug 1718] The nft(8) manual does not explain how sets are sized
https://bugzilla.netfilter.org/show_bug.cgi?id=1718 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- *** Bug 1717 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231127/1c55f1a2/attachment.html>