Hi Jozsef,
On Thu, Oct 29, 2020 at 04:39:46PM +0100, Jozsef Kadlecsik wrote:
> From: Stefano Brivio <sbrivio@xxxxxxxxxx>
>
> In ip_set_match_extensions(), for sets with counters, we take care of
> updating counters themselves by calling ip_set_update_counter(), and of
> checking if the given comparison and values match, by calling
> ip_set_match_counter() if needed.
>
> However, if a given comparison on counters doesn't match the configured
> values, that doesn't mean the set entry itself isn't matching.
>
> This fix restores the behaviour we had before commit 4750005a85f7
> ("netfilter: ipset: Fix "don't update counters" mode when counters used
> at the matching"), without reintroducing the issue fixed there: back
> then, mtype_data_match() first updated counters in any case, and then
> took care of matching on counters.
>
> Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
> ip_set_update_counter() will anyway skip counter updates if desired.
>
> The issue observed is illustrated by this reproducer:
>
> ipset create c hash:ip counters
> ipset add c 192.0.2.1
> iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
>
> if we now send packets from 192.0.2.1, bytes and packets counters
> for the entry as shown by 'ipset list' are always zero, and, no
> matter how many bytes we send, the rule will never match, because
> counters themselves are not updated.
If possible, let me split this batch.
I'll apply this fix (1/4) to nf.git instead, so this shows up in
5.10 swiftly.
My understanding is that 2/4, 3/4 and 4/4 have no dependency on this
one, so I'll apply these three remaining patches in the batch to
nf-next.git
Let me know,
Thanks.
