*From:* Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx]
*To:* Mike Dillinger <miked@xxxxxxxxxxxxxx>
*Cc:* netfilter@xxxxxxxxxxxxxxx, sbrivio@xxxxxxxxxx
*Date:* Monday, June 1, 2020, 5:41 AM PDT
*Subject:* nftables: Strange Error When Adding Element to Named Set
Do you have a simple reproducer? That would help us.
This is a set with the interval flag set on, correct?
Hi Pablo,
Yes, that is correct (interval flag is used/enabled). Here is my set definition:
set blacklist4-ip-12h {
type ipv4_addr
flags interval,timeout
timeout 12h
gc-interval 1m
}
As for a reproducer, it is simple but it takes about 12 hours of uptime for the issue to surface. My script parses syslog for questionable IP activity and puts IP's into this set if they meet certain criteria, and on average I'd say one or two per hour get added to the set. Let me do some experiments and get back to you. I will roll the kernel forward to the problematic version and report back later or tomorrow. In the meantime, please let me know if you have any suggestions on how to accelerate the issue.
Hmmm... actually now that I think about this some more, the set expires entries at the 12 hour interval. Could this possibly be related to the first few IP expiration(s)? I will go with that theory and try to reproduce with a set timeout of 1m or 5m, and report back.
Thanks!
-MikeD
