From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/4] netfilter: ipset: Update byte and packet counters regardless of whether they match
Date: Sat, 31 Oct 2020 11:13:48 +0100 [thread overview]
Message-ID: <20201031101348.GA1459@salvia> (raw)
In-Reply-To: <20201029153949.6567-2-kadlec@netfilter.org>
Hi Jozsef,
On Thu, Oct 29, 2020 at 04:39:46PM +0100, Jozsef Kadlecsik wrote:
> From: Stefano Brivio <sbrivio@redhat.com>
>
> In ip_set_match_extensions(), for sets with counters, we take care of
> updating counters themselves by calling ip_set_update_counter(), and of
> checking if the given comparison and values match, by calling
> ip_set_match_counter() if needed.
>
> However, if a given comparison on counters doesn't match the configured
> values, that doesn't mean the set entry itself isn't matching.
>
> This fix restores the behaviour we had before commit 4750005a85f7
> ("netfilter: ipset: Fix "don't update counters" mode when counters used
> at the matching"), without reintroducing the issue fixed there: back
> then, mtype_data_match() first updated counters in any case, and then
> took care of matching on counters.
>
> Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
> ip_set_update_counter() will anyway skip counter updates if desired.
>
> The issue observed is illustrated by this reproducer:
>
> ipset create c hash:ip counters
> ipset add c 192.0.2.1
> iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
>
> if we now send packets from 192.0.2.1, bytes and packets counters
> for the entry as shown by 'ipset list' are always zero, and, no
> matter how many bytes we send, the rule will never match, because
> counters themselves are not updated.
If possible, let me split this batch.
I'll apply this fix (1/4) to nf.git instead, so this shows up in
5.10 swiftly.
My understanding is that 2/4, 3/4 and 4/4 have no dependency on this
one, so I'll apply these three remaining patches in the batch to
nf-next.git
Let me know,
Thanks.
next prev parent reply other threads:[~2020-10-31 10:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-29 15:39 [PATCH 0/4] ipset patches for nf-next Jozsef Kadlecsik
2020-10-29 15:39 ` [PATCH 1/4] netfilter: ipset: Update byte and packet counters regardless of whether they match Jozsef Kadlecsik
2020-10-31 10:13 ` Pablo Neira Ayuso [this message]
2020-10-31 15:48 ` Jozsef Kadlecsik
2020-10-29 15:39 ` [PATCH 2/4] netfilter: ipset: Support the -exist flag with the destroy command Jozsef Kadlecsik
2020-10-29 15:39 ` [PATCH 3/4] netfilter: ipset: Add bucketsize parameter to all hash types Jozsef Kadlecsik
2020-10-29 15:39 ` [PATCH 4/4] netfilter: ipset: Expose the initval hash parameter to userspace Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201031101348.GA1459@salvia \
--to=pablo@netfilter.org \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.