<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1382">1382</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Gentoo

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>major

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>karel@unitednetworks.cz

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=574" name="attach_574" title="example of nftables.py leaking memory">attachment 574</a> <a href="attachment.cgi?id=574&action=edit" title="example of nftables.py leaking memory">[details]</a></span>

example of nftables.py leaking memory

System:

Gentoo 5.3.10 x86_64

nft up to date from GIT as of 12.11.2019

Overwiew:

nft commands which change ruleset leak memory when running through nftables.py

if ruleset contain rule like this:

add rule ip table1 chain1 counter name ip length map { 0-65535: "counter1" }

But no leaking happens when rule is changed to:

add rule ip table1 chain1 counter name ip length map { 0-65534: "counter1" }

Detailed info:

Consider this ruleset:

add table ip table1

add set ip table1 set1 { type ipv4_addr; }

add chain ip table1 chain1 { type filter hook forward priority 0; }

add counter ip table1 counter1

add rule ip table1 chain1 counter name ip length map { 0-65535: "counter1" }

Then several iterations of adding and deleting set items like this:

add element table1 set1 { 1.1.1.1 }

delete element table1 set1 { 1.1.1.1 }

will show process is leaking memory.

See attached example.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>