Wildcards / large ranges in concatenations

Wildcards / large ranges in concatenations

[Frank Myhr]

Hi,

A couple of weeks ago I played around a bit with using ranges in 
concatenations, a very cool feature added in nftables 0.9.4. Somehow I 
wound up with set with nonsensical keys, and not long after a kernel 
oops. I suppose this was very likely my own fault and/or due to very 
limited memory inside a virtual machine. I ended up going with a 
different ruleset config.

But I have a couple lingering questions about using ranges in 
concatenations:

1) Would it be possible to specify a wildcard (* or similar) for one of 
the constituent values? I had a vmap (if I remember correctly) using 
concatenated keys like ifname . ifname . inet_service . inet_service. 
For one element I didn't care about one of the inet_service values, and 
since '*' didn't seem to work, specified a range of all possible values 
0-65535. The oops happened not long after this.

2) Are concatenations of large (or wildcard) ranges inefficient (in 
execution speed and/or memory use), even if they work? I started to 
suspect this might be the case, and so changed my ruleset design.

Thanks,
Frank

Re: Wildcards / large ranges in concatenations

[Florian Westphal]

Frank Myhr <fmyhr@fhmtech.com> wrote:
> A couple of weeks ago I played around a bit with using ranges in
> concatenations, a very cool feature added in nftables 0.9.4. Somehow I wound
> up with set with nonsensical keys, and not long after a kernel oops.

The kernel must not oops.  Please share a reproducer so this can be
fixed.  Thanks.