[Bug 1404] New: Problems with dynamically managing interval sets with auto-merge

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Feb 3 08:37:45 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1404

            Bug ID: 1404
           Summary: Problems with dynamically managing interval sets with
                    auto-merge
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: Debian GNU/Linux
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: pc at hillside.co.uk

When element contents are auto-merged, a flush action will remove set elements
but seems to not permit elements to be added in the same command sequence.

Step 1:
Place following into a file (assumes ip filter table exists) to create a set
with a merged interval.

add set ip filter w_all {type ipv4_addr; flags interval;auto-merge}
add element ip filter w_all {10.10.10.10,10.10.10.11}

Step 2:
Assume time passes and a change is needed. Now in a second file, execute:

flush set ip filter w_all
add element ip filter w_all {10.10.10.10,10.10.10.253}

The add element command fails with

n2:2:30-40: Error: interval overlaps with an existing one
add element ip filter w_all {10.10.10.10,10.10.10.253}
                             ^^^^^^^^^^^
n2:2:1-55: Error: Could not process rule: File exists
add element ip filter w_all {10.10.10.10,10.10.10.253}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and the set is unchanged.

Adding 

flush set ip filter w_all

to the end of the first command set does result in an empty set. So it's
flushing, but I am guessing there is some state which retains the auto-merge
information which isn't cleared and this causes the second add element to fail.

Workaround 1:
Removing auto-merge from the set definition allows the contents to be replaced.

Workaround 2:
A workaround seems to be to split the second command set into two separate
calls to nft. First to flush the set. Then a second action to re-populate.
However, I really expect the flush to work.

Comments: An attempt to delete one element of an auto-merged element fails. I
think that this is reasonable. 

# nft -v
nftables v0.9.3 (Topsy)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200203/9cbb8737/attachment.html>

More information about the netfilter-buglog mailing list