<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - prefix len in a set of ips is wrong in a rule"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1733">1733</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>prefix len in a set of ips is wrong in a rule
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>0.9.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>RedHat Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>herecomeswaynebao0811@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Hey there, I found this bug when I am using
<a href="https://github.com/ansibleguy/python3-nftables">https://github.com/ansibleguy/python3-nftables</a> on a redhat 8. The kernel
version "Linux 4.18.0-372.9.1.el8.x86_64 x86_64", nft version "nftables v0.9.3
(Topsy)"
basically, when I use a set of ips with prefix len to create a rule, some ips
show different prefix vs. my input when i "list chain ip filter test_chain".
More details:
bug itself:
This is the set of ips i want to set as daddr:
{'set': [{'prefix': {'addr': '172.17.0.0', 'len': 19}}, {'prefix': {'addr':
'10.42.0.0', 'len': 16}}, {'prefix': {'addr': '100.100.127.0', 'len': 24}},
{'prefix': {'addr': '10.98.112.0', 'len': 20}}, {'prefix': {'addr':
'100.70.64.0', 'len': 18}}, {'prefix': {'addr': '10.74.0.0', 'len': 17}},
{'prefix': {'addr': '100.100.125.0', 'len': 24}}, {'prefix': {'addr':
'10.218.0.0', 'len': 16}}, {'prefix': {'addr': '10.74.0.0', 'len': 16}},
{'prefix': {'addr': '10.178.0.0', 'len': 16}}, {'prefix': {'addr':
'10.122.0.0', 'len': 16}}, {'prefix': {'addr': '100.70.0.0', 'len': 18}},
{'prefix': {'addr': '10.98.8.0', 'len': 22}}, {'prefix': {'addr': '10.66.0.0',
'len': 16}}, {'prefix': {'addr': '10.98.112.0', 'len': 21}}, {'prefix':
{'addr': '10.34.0.0', 'len': 16}}, {'prefix': {'addr': '10.210.0.0', 'len':
16}}, {'prefix': {'addr': '100.127.0.0', 'len': 16}}, {'prefix': {'addr':
'100.71.0.0', 'len': 18}}, {'prefix': {'addr': '100.125.0.0', 'len': 16}},
{'prefix': {'addr': '100.71.64.0', 'len': 18}}, {'prefix': {'addr':
'10.35.0.0', 'len': 16}}]}
after I use it to create a rule, then list the chain, for these 3 ips the
output shows
{"prefix": {"addr": "10.34.0.0", "len": 15}} instead of len 16 as in input;
{"prefix": {"addr": "100.70.0.0", "len": 17}} instead of len 18 as in input;
{"prefix": {"addr": "100.71.0.0", "len": 17}} instead of len 18 as in input.
Looks like it happen when the trailing bit is 0.
one test to figure out what trigger the bug:
so I tried another set of input
{
"set": [
{"prefix": {"addr": "10.42.0.0", "len":
16}},
{"prefix": {"addr": "100.70.0.0",
"len": 18}},
{"prefix": {"addr": "10.34.0.0", "len":
16}},
]
},
this time the len of all ips are correct in the output. So i don't actually
know in what condition which ips could have wrong len in the output.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>