[Bug 1382] New: nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Nov 12 14:53:38 CET 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1382
Bug ID: 1382
Summary: nftables.py cmd leaking memory when ruleset contain
mapping ip length to range with high limit 65535
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Gentoo
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: karel at unitednetworks.cz
Created attachment 574
--> https://bugzilla.netfilter.org/attachment.cgi?id=574&action=edit
example of nftables.py leaking memory
System:
Gentoo 5.3.10 x86_64
nft up to date from GIT as of 12.11.2019
Overwiew:
nft commands which change ruleset leak memory when running through nftables.py
if ruleset contain rule like this:
add rule ip table1 chain1 counter name ip length map { 0-65535: "counter1" }
But no leaking happens when rule is changed to:
add rule ip table1 chain1 counter name ip length map { 0-65534: "counter1" }
Detailed info:
Consider this ruleset:
add table ip table1
add set ip table1 set1 { type ipv4_addr; }
add chain ip table1 chain1 { type filter hook forward priority 0; }
add counter ip table1 counter1
add rule ip table1 chain1 counter name ip length map { 0-65535: "counter1" }
Then several iterations of adding and deleting set items like this:
add element table1 set1 { 1.1.1.1 }
delete element table1 set1 { 1.1.1.1 }
will show process is leaking memory.
See attached example.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191112/45ec5916/attachment.html>
More information about the netfilter-buglog
mailing list