On Tue, 31 Mar 2020 22:12:27 +0200
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Hi Stefano,
>
> On Sun, Mar 22, 2020 at 03:22:01AM +0100, Stefano Brivio wrote:
> > ...and return -ENOTEMPTY to the front-end in this case, instead of
> > proceeding. Currently, nft takes care of checking for these cases
> > and not sending them to the kernel, but if we drop the set_overlap()
> > call in nft we can end up in situations like:
> >
> > # nft add table t
> > # nft add set t s '{ type inet_service ; flags interval ; }'
> > # nft add element t s '{ 1 - 5 }'
> > # nft add element t s '{ 6 - 10 }'
> > # nft add element t s '{ 4 - 7 }'
> > # nft list set t s
> > table ip t {
> > set s {
> > type inet_service
> > flags interval
> > elements = { 1-3, 4-5, 6-7 }
> > }
> > }
> >
> > This change has the primary purpose of making the behaviour
> > consistent with nft_set_pipapo, but is also functional to avoid
> > inconsistent behaviour if userspace sends overlapping elements for
> > any reason.
>
> nftables/tests/py is reporting a regression that is related to this
> patch. If I locally revert this patch here, tests/py works fine here.
Grrr, did I really run tests/shell only after this... :(
Sorry, I'm on it.
--
Stefano
