[Bug 1733] New: prefix len in a set of ips is wrong in a rule

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Jan 29 16:53:29 CET 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1733

            Bug ID: 1733
           Summary: prefix len in a set of ips is wrong in a rule
           Product: nftables
           Version: 0.9.x
          Hardware: x86_64
                OS: RedHat Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: herecomeswaynebao0811 at gmail.com

Hey there, I found this bug when I am using
https://github.com/ansibleguy/python3-nftables on a redhat 8. The kernel
version "Linux 4.18.0-372.9.1.el8.x86_64 x86_64", nft version "nftables v0.9.3
(Topsy)"

basically, when I use a set of ips with prefix len to create a rule, some ips
show different prefix vs. my input when i "list chain ip filter test_chain".

More details:

bug itself:
This is the set of ips i want to set as daddr:
{'set': [{'prefix': {'addr': '172.17.0.0', 'len': 19}}, {'prefix': {'addr':
'10.42.0.0', 'len': 16}}, {'prefix': {'addr': '100.100.127.0', 'len': 24}},
{'prefix': {'addr': '10.98.112.0', 'len': 20}}, {'prefix': {'addr':
'100.70.64.0', 'len': 18}}, {'prefix': {'addr': '10.74.0.0', 'len': 17}},
{'prefix': {'addr': '100.100.125.0', 'len': 24}}, {'prefix': {'addr':
'10.218.0.0', 'len': 16}}, {'prefix': {'addr': '10.74.0.0', 'len': 16}},
{'prefix': {'addr': '10.178.0.0', 'len': 16}}, {'prefix': {'addr':
'10.122.0.0', 'len': 16}}, {'prefix': {'addr': '100.70.0.0', 'len': 18}},
{'prefix': {'addr': '10.98.8.0', 'len': 22}}, {'prefix': {'addr': '10.66.0.0',
'len': 16}}, {'prefix': {'addr': '10.98.112.0', 'len': 21}}, {'prefix':
{'addr': '10.34.0.0', 'len': 16}}, {'prefix': {'addr': '10.210.0.0', 'len':
16}}, {'prefix': {'addr': '100.127.0.0', 'len': 16}}, {'prefix': {'addr':
'100.71.0.0', 'len': 18}}, {'prefix': {'addr': '100.125.0.0', 'len': 16}},
{'prefix': {'addr': '100.71.64.0', 'len': 18}}, {'prefix': {'addr':
'10.35.0.0', 'len': 16}}]}

after I use it to create a rule, then list the chain, for these 3 ips the
output shows
{"prefix": {"addr": "10.34.0.0", "len": 15}} instead of len 16 as in input;
{"prefix": {"addr": "100.70.0.0", "len": 17}} instead of len 18 as in input;
{"prefix": {"addr": "100.71.0.0", "len": 17}} instead of len 18 as in input.

Looks like it happen when the trailing bit is 0.

one test to figure out what trigger the bug:
so I tried another set of input
{
                                    "set": [
                                        {"prefix": {"addr": "10.42.0.0", "len":
16}},
                                        {"prefix": {"addr": "100.70.0.0",
"len": 18}},
                                        {"prefix": {"addr": "10.34.0.0", "len":
16}},
                                    ]
                                },
this time the len of all ips are correct in the output. So i don't actually
know in what condition which ips could have wrong len in the output.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240129/cf9ca6cf/attachment.html>

More information about the netfilter-buglog mailing list