Mike, On Mon, 1 Jun 2020 07:58:49 -0700 Mike Dillinger <miked@xxxxxxxxxxxxxx> wrote: > > *From:* Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > > *To:* Mike Dillinger <miked@xxxxxxxxxxxxxx> > > *Cc:* netfilter@xxxxxxxxxxxxxxx, sbrivio@xxxxxxxxxx > > *Date:* Monday, June 1, 2020, 5:41 AM PDT > > *Subject:* nftables: Strange Error When Adding Element to Named Set > > Do you have a simple reproducer? That would help us. > > > > This is a set with the interval flag set on, correct? > > Hi Pablo, > > Yes, that is correct (interval flag is used/enabled). Here is my > set definition:    set blacklist4-ip-12h { >        type ipv4_addr >        flags interval,timeout >        timeout 12h >        gc-interval 1m >    } > > As for a reproducer, it is simple but it takes about 12 hours of > uptime for the issue to surface. My script parses syslog for > questionable IP activity and puts IP's into this set if they meet > certain criteria, and on average I'd say one or two per hour get > added to the set. Let me do some experiments and get back to you. I > will roll the kernel forward to the problematic version and report > back later or tomorrow. In the meantime, please let me know if you > have any suggestions on how to accelerate the issue. > > Hmmm... actually now that I think about this some more, the set > expires entries at the 12 hour interval. Could this possibly be > related to the first few IP expiration(s)? I will go with that > theory and try to reproduce with a set timeout of 1m or 5m, and > report back. Yes, that might help. By the way, your kernel (based on 5.6.8 upstream, not 5.6.14 -- that's the Debian package version) also contains: commit 340eaff651160234bdbce07ef34b92a8e45cd540 Author: Phil Sutter <phil@xxxxxx> Date: Mon May 11 15:31:41 2020 +0200 netfilter: nft_set_rbtree: Add missing expired checks so any issue in that sense should be fixed. See the changelog at: https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_5.6.14-1_changelog Anyway, my further question is whether at the moment of the insertion there's an overlapping address already in the set, or the inserted address is included in an interval also already present in the set. What is "a.b.c.d" in your earlier report? Is it a single address or an interval? Once the failure is detected, would it be possible to automatically dump the ruleset (nft list ruleset)? -- Stefano
