Re: [PATCH nft 3/3] rule: fix use of intervals in set declarations

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Sat, 20 Jun 2015 20:37:28 +0200

On Sat, Jun 20, 2015 at 01:41:34PM +0200, Patrick McHardy wrote:
> On 20.06, Pablo Neira Ayuso wrote:
> > On Fri, Jun 19, 2015 at 08:15:01PM +0200, Patrick McHardy wrote:
> > [...]
> > > >OK, so that transformation would look like:
> > > >
> > > >1) Fetch the existing elements in the set via netlink.
> > > >2) Handle merges with the elements that the user has passed through
> > > >   command line.
> > > >3) Build the segtree.
> > > >4) Push it into the kernel. We need to mark all existing elements for
> > > >   the deletion plus add the new elements, all that in one single
> > > >   transaction.
> > > >
> > > >Is this your idea? So it looks like we need a bit more userspace code.
> > > >
> > > >With the existing approach, the kernel rejects overlapping segments
> > > >with -EEXIST, so if the user is careful to avoid them there should be
> > > >no problem. It's more restrictive than what the logic above, but set
> > > >declarations with intervals will work until that code lands in the
> > > >tree.
> > > 
> > > Sorry, missed this part. Are you sure about that? I'm pretty sure we
> > > only reject exact duplicates. Otherwise I'd agree, that would be
> > > fine for now.
> > 
> > Yes, overlapping segments are rejected:
> > 
> > # nft add element test myset { 1.2.3.0/24 }
> > # nft add element test myset { 1.2.3.1 }
> > <cmdline>:1:1-34: Error: Could not process rule: File exists
> > add element test myset { 1.2.3.1 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > # nft add element test myset { 1.2.3.0 }
> > <cmdline>:1:1-34: Error: Could not process rule: File exists
> > add element test myset { 1.2.3.0 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > # nft add element test myset { 1.2.3.255 }
> > <cmdline>:1:1-36: Error: Could not process rule: File exists
> > add element test myset { 1.2.3.255 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > # nft add element test myset { 1.2.3.30-1.2.4.30 }
> > <cmdline>:1:1-44: Error: Could not process rule: File exists
> > add element test myset { 1.2.3.30-1.2.4.30 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I think this is basically by accident. Does it also reject if the
> second segment starts *before* the first one? IOW, 192.168.1.0/24
> and 192.168.0.0/16?

At quick test it does:

# nft add element test myset2 { 192.168.1.0/24 }
# nft add element test myset2 { 192.168.1.0/16 }
<cmdline>:1:1-42: Error: Could not process rule: File exists
add element test myset2 { 192.168.1.0/16 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft add element test myset3 { 192.168.1.0/16 }
# nft add element test myset3 { 192.168.1.0/24 }
<cmdline>:1:1-42: Error: Could not process rule: File exists
add element test myset4 { 192.168.1.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in