<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - nft ipv4 set with interval issue"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1449">1449</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>nft ipv4 set with interval issue
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>other
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>blocker
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>netfilter@d9c.eu
</td>
</tr></table>
<p>
<div>
<pre>Tested with git HEAD as of August 13th:
pacman -Q | grep nft
libnftnl-git 1.1.7.r4.g58e7e9c-1
nftables-git 0.9.6.r42.g0864c2d4-1
on
uname -a
Linux iArchEFI 5.7.12-arch1-1 #1 SMP PREEMPT Fri, 31 Jul 2020 17:38:22 +0000
x86_64 GNU/Linux
Consider the following series of commands:
flush ruleset
add table ip filter
add set ip filter myset { type ipv4_addr ; flags interval ;}
add element ip filter myset { 61.37.150.6/32, 114.237.203.25/32,
82.113.66.69/32, 36.89.143.21/32, 58.57.4.238/32, 117.69.147.239/32,
103.221.253.242/32, 49.88.218.208/32, 88.203.202.102/32, 175.106.18.201/32,
201.140.110.78/32, 178.21.206.74/32, 202.137.155.47/32, 103.151.122.57/32,
158.140.137.39/32, 78.128.113.116/32, 109.162.241.35/32, 49.88.119.119/32,
202.79.46.153/32, 186.10.0.116/32, 45.143.223.106/32, 61.14.228.134/32,
103.3.225.114/32 }
delete element ip filter myset { 175.106.18.201/32 }
delete element ip filter myset { 103.221.253.242/32, 117.69.147.239/32 }
list ruleset
add element ip filter myset { 117.212.174.157/32 }
add element ip filter myset { 118.163.135.18/32 }
If pasting them into nft -i, then the following error happens:
# nft> flush ruleset
# ...
# nft> list ruleset
# table ip filter {
# set myset {
# type ipv4_addr
# flags interval
# elements = { 36.89.143.21, 45.143.223.106,
# 49.88.119.119, 49.88.218.208,
# 58.57.4.238, 61.14.228.134,
# 61.37.150.6, 78.128.113.116,
# 82.113.66.69, 88.203.202.102,
# 103.3.225.114, 103.151.122.57,
# 109.162.241.35, 114.237.203.25,
# 158.140.137.39, 178.21.206.74,
# 186.10.0.116, 201.140.110.78,
# 202.79.46.153, 202.137.155.47 }
# }
# }
# nft> add element ip filter myset { 117.212.174.157/32 }
# Error: Could not process rule: File exists
# add element ip filter myset { 117.212.174.157/32 }
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft> add element ip filter myset { 118.163.135.18/32 }
# Error: Could not process rule: File exists
# add element ip filter myset { 118.163.135.18/32 }
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What is happening here? Clearly, there is no interval larger than /32 in this
set and none of the IPs are starting with 117 or 118.
If this series of commands is executed all together via nft -f, then everything
looks to work as expected:
$ nft -f nftall.nft
$ nft list ruleset
table ip filter {
set myset {
type ipv4_addr
flags interval
elements = { 36.89.143.21, 45.143.223.106,
49.88.119.119, 49.88.218.208,
58.57.4.238, 61.14.228.134,
61.37.150.6, 78.128.113.116,
82.113.66.69, 88.203.202.102,
103.3.225.114, 103.151.122.57,
109.162.241.35, 114.237.203.25,
117.212.174.157, 118.163.135.18,
158.140.137.39, 178.21.206.74,
186.10.0.116, 201.140.110.78,
202.79.46.153, 202.137.155.47 }
}
}
Cheers,
Andreas</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>