nftables Set Bug with interval & timeout Flags

* nftables Set Bug with interval & timeout Flags
@ 2020-12-10 17:35 Mike Dillinger
  2021-01-05  3:03 ` Mike Dillinger
  2021-01-06 14:03 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Mike Dillinger @ 2020-12-10 17:35 UTC (permalink / raw)
  To: netfilter

Greetings netfilter team,

I believe I have stumbled on a bug with nftables named sets.  I'm seeing timeout values are lost for named set elements upon reboot or service restart, and it reverts to the default timeout setting for the set.  I only observe this behavior when the interval flag is present.  I have been able to reproduce reliably and I have included reproduction steps.

It is also worth noting that this is only an issue if the interval flag is present.  For named sets without the interval flag, timeouts are preserved across reboots and service restarts as expected. However, I'm interested in using the interval flag to specify CIDR's and IP ranges.

Step 1: Create a set with interval and timeout flags, some other options as well
$ nft add set ip filter test2 {type ipv4_addr \; flags timeout,interval \; timeout 10m \; gc-interval 1m\; counter\;}
$ nft list set ip filter test2
table ip filter {
         set test2 {
                 type ipv4_addr
                 flags interval,timeout
                 counter
                 timeout 10m
                 gc-interval 1m
         }
}

Step 2: Add a couple of elements to set; One will be a single IP and one will be a CIDR/range
$ nft add element ip filter test2 { 1.1.1.1 }
$ nft add element ip filter test2 { 8.8.8.0/24 }
$ nft list set ip filter test2
table ip filter {
         set test2 {
                 type ipv4_addr
                 flags interval,timeout
                 counter
                 timeout 10m
                 gc-interval 1m
                 elements = { 1.1.1.1 expires 9m45s348ms counter packets 0 bytes 0, 8.8.8.0/24 expires 9m55s816ms counter packets 0 bytes 0 }
         }
}

Step 3: Lets pause to allow the timers to decrement somewhat and then backup the nftables config so we can restore it
$ rm -f /etc/nftables.conf && nft list ruleset > /etc/nftables.conf
$ grep --after-context 7 test2 /etc/nftables.conf
         set test2 {
                 type ipv4_addr
                 flags interval,timeout
                 counter
                 timeout 10m
                 gc-interval 1m
                 elements = { 1.1.1.1 expires 6m4s752ms counter packets 0 bytes 0, 8.8.8.0/24 expires 6m15s220ms counter packets 0 bytes 0 }
         }

Step 4: Now restart nftables and observe the failure condition
$ systemctl restart nftables.service
$ nft list set ip filter test2
table ip filter {
         set test2 {
                 type ipv4_addr
                 flags interval,timeout
                 counter
                 timeout 10m
                 gc-interval 1m
                 elements = { 1.1.1.1 expires 9m48s864ms counter packets 0 bytes 0, 8.8.8.0/24 expires 9m48s864ms counter packets 0 bytes 0 }
         }
}

Note the timers reset when the service restarted even though they were saved to /etc/nftables.conf.  And again, this behavior is only present when the interval flag is set.  I have other sets of type ipv4_addr not using the interval flag and those timers are preserved on reset/reboot.

Hopefully I'm doing something wrong, but if not, please let me know your thoughts.  Here is some information regarding my setup (Debian testing):
$ uname -a
Linux rockenfield 5.9.0-4-amd64 #1 SMP Debian 5.9.11-1 (2020-11-27) x86_64 GNU/Linux
$ nft -V
nftables v0.9.7 (Anyface)
   cli:          readline
   json:         yes
   minigmp:      no
   libxtables:   yes

Thanks!
-MikeD

^ permalink raw reply	[flat|nested] 4+ messages in thread