BUG: Anonymous maps with adjacent intervals broken since Linux 5.6

BUG: Anonymous maps with adjacent intervals broken since Linux 5.6

[Thorsten Knabe]

Hello.

BUG: Anonymous maps with adjacent intervals are broken starting with
Linux 5.6. Linux 5.5.16 is not affected.

Environment:
- Linux 5.6.3 (AMD64)
- nftables 0.9.4

Trying to apply the ruleset:

flush ruleset

table ip filter {
  chain test {
    ip daddr vmap {
        10.255.1.0-10.255.1.255: accept,
        10.255.2.0-10.255.2.255: drop
    }
  }
}

using nft results in an error on Linux 5.6.3:

# nft -f simple.nft
simple.nft:7:19-5: Error: Could not process rule: File exists
    ip daddr vmap {

The same ruleset works flawlessly using Linux 5.5.16.

Changing the ruleset to:

flush ruleset

table ip filter {
  chain test {
    ip daddr vmap {
        10.255.1.0-10.255.1.254: accept,
        10.255.2.0-10.255.2.255: drop
    }
  }
}

(non adjacent intervals) makes the ruleset work again on Linux 5.6.3.

Reverting commit 7c84d41416d836ef7e533bd4d64ccbdf40c5ac70 from Linux
5.6.3 also fixes the problem.

Kind regards
Thorsten

-- 
___              
 |        | /                 E-Mail: linux@thorsten-knabe.de 
 |horsten |/\nabe                WWW: http://linux.thorsten-knabe.de 

Re: BUG: Anonymous maps with adjacent intervals broken since Linux 5.6

[Stefano Brivio]

Hi Thorsten,

On Fri, 10 Apr 2020 19:25:49 +0200
Thorsten Knabe <linux@thorsten-knabe.de> wrote:

> Hello.
> 
> BUG: Anonymous maps with adjacent intervals are broken starting with
> Linux 5.6. Linux 5.5.16 is not affected.
> 
> Environment:
> - Linux 5.6.3 (AMD64)
> - nftables 0.9.4
> 
> Trying to apply the ruleset:
> 
> flush ruleset
> 
> table ip filter {
>   chain test {
>     ip daddr vmap {
>         10.255.1.0-10.255.1.255: accept,
>         10.255.2.0-10.255.2.255: drop
>     }
>   }
> }
> 
> using nft results in an error on Linux 5.6.3:
> 
> # nft -f simple.nft
> simple.nft:7:19-5: Error: Could not process rule: File exists
>     ip daddr vmap {

Thanks for reporting this issue. I can't test it right now, but:

commit 72239f2795fab9a58633bd0399698ff7581534a3
Author: Stefano Brivio <sbrivio@redhat.com>
Date:   Wed Apr 1 17:14:38 2020 +0200

    netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion

should be the fix for this. Can you try with that?

-- 
Stefano

Re: BUG: Anonymous maps with adjacent intervals broken since Linux 5.6

[Thorsten Knabe]

Hello Stefano.

On 4/11/20 9:24 AM, Stefano Brivio wrote:
> Hi Thorsten,
> 
> On Fri, 10 Apr 2020 19:25:49 +0200
> Thorsten Knabe <linux@thorsten-knabe.de> wrote:
> 
>> Hello.
>>
>> BUG: Anonymous maps with adjacent intervals are broken starting with
>> Linux 5.6. Linux 5.5.16 is not affected.
>>
>> Environment:
>> - Linux 5.6.3 (AMD64)
>> - nftables 0.9.4
>>
>> Trying to apply the ruleset:
>>
>> flush ruleset
>>
>> table ip filter {
>>   chain test {
>>     ip daddr vmap {
>>         10.255.1.0-10.255.1.255: accept,
>>         10.255.2.0-10.255.2.255: drop
>>     }
>>   }
>> }
>>
>> using nft results in an error on Linux 5.6.3:
>>
>> # nft -f simple.nft
>> simple.nft:7:19-5: Error: Could not process rule: File exists
>>     ip daddr vmap {
> 
> Thanks for reporting this issue. I can't test it right now, but:
> 
> commit 72239f2795fab9a58633bd0399698ff7581534a3
> Author: Stefano Brivio <sbrivio@redhat.com>
> Date:   Wed Apr 1 17:14:38 2020 +0200
> 
>     netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
> 
> should be the fix for this. Can you try with that?

I tried your patch 72239f2795fab9a58633bd0399698ff7581534a3 and it
indeed fixes the problem. Thank you.

Kind regards
Thorsten


-- 
___
 |        | /                 E-Mail: linux@thorsten-knabe.de
 |horsten |/\nabe                WWW: http://linux.thorsten-knabe.de