Re: [PATCH nf] netfilter: revert nft_set_rbtree: validate open interval overlap

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Mar 11, 2026 at 04:29:12PM +0100, Florian Westphal wrote:
> This reverts commit 648946966a08 ("netfilter: nft_set_rbtree: validate
> open interval overlap").
> 
> There have been reports of nft failing to laod valid rulesets after this
> patch was merged into -stable.
>
> I can reproduce several such problem with recent nft versions, including
> nft 1.1.6 which is widely shipped by distributions.

The culprit is this bug in userspace:

  e83e32c8d1cd mnl: restore create element command with large batches

At the same time, 1.1.6 is broken because of this bug _regardless_
this patch.

> We currently have little choice here.
> This commit can be resurrected at some point once the nftables fix that
> triggers the false overlap positive has appeared in common distros
> (see e83e32c8d1cd ("mnl: restore create element command with large batches" in
>  nftables.git).

Yes, we can just wait for the userspace fix to propagate, then merge
this in again.

It is very unfortunate that this userspace bug in the way.

> Fixes: 648946966a08 ("netfilter: nft_set_rbtree: validate open interval overlap")
> Signed-off-by: Florian Westphal <fw@strlen.de>
>
> ---
>  Pablo, if you prefer a different approach, e.g. just axing
>  the relevant check instead of full revert please let me know.

I can think of workaround such as adding a temporary sysctl knob
to disable this... but it is ugly.

Probably it is more sensible to revert temporarily and wait for a bit
of time for the e83e32c8d1cd userspace bugfix to propagate downstream.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>