Re: [PATCH nft 0/2] Fix listing of sets containing unclosed address prefix intervals

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022-09-18, at 18:22:10 +0100, Jeremy Sowden wrote:
> The code which decomposes unclosed intervals in sets doesn't check for
> prefixes.  This means that a set containing such a prefix (e.g.,
> ff00::/8 or 192.0.0.0/2) is incorrectly listed:

The original Debian bug-report only covers the IPv6 case:

>   # nft list table ip6 t
>   table ip6 t {
>     chain c {
>       ip6 saddr ff00::/8 drop
>       ip6 saddr fe80::/10 drop
>       ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
>     }
>   }

To the reporter that range looked like a garbled address with a negative
hex number embedded in it, and when I read the report it looked like
that to me too.  Inevitably, it was only after I sent this patch-set
that I finally parsed it correctly as the range ff00:: to
ffff:ffff:...:ffff:ffff, largely because of the IPv4 case:

>   # nft list table ip t
>   table ip t {
>     chain c {
>       ip saddr 192.0.0.0/2 drop
>       ip saddr 10.0.0.0/8 drop
>       ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
>     }
>   }

which, to me at least, is easier to read.

The reason that I bring this up is that I should probably have phrased
the commit messages differently and avoided the use of "correct" and
"incorrect" if I hadn't misparsed the IPv6 range, like the original
reporter, since the ranges currently output are unexpected (and arguably
confusing), rather than wrong.  I'm happy to reword the commits if you
would like.

J.

> This patch-set refactors `interval_map_decompose` to use the same code
> to handle unclosed intervals that is used for closed ones.
> 
> Jeremy Sowden (2):
>   segtree: refactor decomposition of closed intervals
>   segtree: fix decomposition of unclosed intervals containing address
>     prefixes
> 
>  src/segtree.c                                 | 90 +++++++++----------
>  .../sets/0071unclosed_prefix_interval_0       | 23 +++++
>  .../dumps/0071unclosed_prefix_interval_0.nft  | 19 ++++
>  3 files changed, 85 insertions(+), 47 deletions(-)
>  create mode 100755 tests/shell/testcases/sets/0071unclosed_prefix_interval_0
>  create mode 100644 tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
> 
> -- 
> 2.35.1
> 
> 

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux