etkaar <lists.netfilter.org@xxxxxxx> wrote: [ CC Stefano ] > Dear colleagues, > > given is following perfectly working ruleset (nft list ruleset), which drops almost all of the IPv4 traffic, but grants access to port 22 (SSH) for two IPv4 addresses provided by the set named 'whitelist_ipv4_tcp': Thanks for reporting, I can reproduce this. > +++ > table inet filter { > set whitelist_ipv4_tcp { > type inet_service . ipv4_addr > flags interval > elements = { 22 . 111.222.333.444, > 22 . 555.666.777.888 } > } I can repro this, looks like missing scratchpad cloning in the set backend. I can see that after second 'nft -f', avx2_lookup takes the 'if (unlikely(!scratch)) {' branch. Can you try this (kernel) patch below? As a workaround, you could try removing the 'interval' flag so that kernel uses a hash table as set backend instead. Stefano, does that patch make sense to you? Thanks! diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -1271,7 +1271,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) { struct nft_pipapo_field *dst, *src; struct nft_pipapo_match *new; - int i; + int i, err; new = kmalloc(sizeof(*new) + sizeof(*dst) * old->field_count, GFP_KERNEL); @@ -1291,6 +1291,14 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) goto out_scratch; #endif + err = pipapo_realloc_scratch(new, old->bsize_max); + if (err) { +#ifdef NFT_PIPAPO_ALIGN + free_percpu(new->scratch_aligned); +#endif + goto out_scratch; + } + rcu_head_init(&new->rcu); src = old->f;