[Bug 1184] disable implicit concatenating of elements of sets with flag interval

Sun Jan 21 01:56:23 CET 2018

https://bugzilla.netfilter.org/show_bug.cgi?id=1184

--- Comment #9 from Jeff Kletsky <netfilter at allycomm.com> ---
As discussed on the nft mailing list on 2018-01-20

Prohibiting overlapping intervals in the same set is problematic on several
levels, including
* Dynamic firewalls, such as behavior-based ones
* Clear rule set definition
* Single-point management of addresses

The changes introduced by

commit 9a4b513014cfdeaad6d247b72a7924b3a536cfe9
Author: Phil Sutter <phil at nwl.cc>
Date:   Wed Jan 10 21:32:04 2018 +0100

    src: Don't merge adjacent/overlapping ranges

    Previously, when adding multiple ranges to a set they were merged if
    overlapping or adjacent. This might cause inconvenience though since it
    is afterwards not easily possible anymore to remove one of the merged
    ranges again while keeping the others in place.

    Since it is not possible to have overlapping ranges, this patch adds a
    check for newly added ranges to make sure they don't overlap if merging
    is turned off.

    [...]

have broken rule sets here. 

The changes break both explicit sets, as well as implicit sets within rules.

I am puzzled as to why "it is not possible to have overlapping ranges"

As long as the left/right of the interval are unique within the set, then the
element is unique.

I don't see any reason why a clear, efficient algorithm could not be developed
for overlapping intervals. If a user intentionally creates overlapping (or
contained) ranges, that is a conscious decision. Similarly, a dynamically
managed firewall should not have to read out the current state of the set to
decide how to add or remove a host or net block. At least for me, I would not
expect that the implementation would "magically optimize" the tests; I've
explicitly indicated two tests, I'm not going to be surprised if two
comparisons are done as a result.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180121/20641103/attachment.html>