From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next 0/4] nf_tables: complete interval overlap detection
Date: Wed, 28 Jan 2026 02:42:47 +0100 [thread overview]
Message-ID: <20260128014251.754512-1-pablo@netfilter.org> (raw)
Hi,
Overlap detection from the kernel in interval sets is still missing a
few corner cases, this is currently mitigated by nft from userspace by
dumping the set content for each add/create element command.
This series is composed of:
Patch #1 fixes null interval with NLM_F_CREATE: simply ignore this dummy
element when it already exists, so userspace does not need to dump the
current set content to check if it exists to decide whether to add it or
not to add it.
Patch #2 enables overlap detection for start elements with anonymous
sets. This validation in the kernel is currently disabled because end
elements are omitted with adjacent intervals.
The following command reports success while it should fail with ENOENT:
add rule ip x y meta mark set ip saddr map { 255.255.255.1-255.255.255.3 : 1, 255.255.255.0-255.255.255.4 : 2}
Patch #3 extends overlap detection to report ENOENT when deleting start
and end elements that belong to different intervals, eg.
add element inet x y { 1.1.1.1-2.2.2.2, 4.4.4.4-5.5.5.5 }
then:
add element inet x y { 1.1.1.1-5.5.5.5 }
reports success but this should fail with ENOENT.
This patch uses a cookie field to store the pointer to the start element
that already exists, then validate that the end element is adjacent to
the start element that is stored in the cookie.
This patch also performs similar validation for deletions, eg.
add element inet x y { 1.1.1.1-2.2.2.2, 4.4.4.4-5.5.5.5}
then:
delete element inet x y { 1.1.1.1-5.5.5.5 }
reports success but this should fail with ENOENT.
Patch #4 enables overlap detection for open intervals in non-anonymous
sets, which are only possible at the end of the set. Note that Patch #3
relies on the end element to validate intervals, however, such end
element is missing in the last open interval of the set. This needs a
new LAST flag to detect if the last interval is an open interval.
This cover the following scenario:
add element ip x y { 255.255.255.0-255.255.255.254 }
then:
add element ip x y { 255.255.255.0-255.255.255.255 }
reports success but this should fail with ENOENT.
There is another corner case:
add element ip x y { 255.255.255.0-255.255.255.254 }
add element ip x y { 255.255.255.0-255.255.255.255, 255.255.255.0-255.255.255.254 }
reports success but this should fail with ENOENT. This is handled by
annotating that 255.255.255.0-255.255.255.255 is possibly an open
interval, given that there is no end element.
A better approach would be to allow interval sets to the KEY and KEY_END
attributes, but this is not trivial with the existing rbtree set backend
and it requires a lot more work. This series aims at addressing the
existing issues.
Pablo Neira Ayuso (4):
netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null interval
netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
netfilter: nft_set_rbtree: validate element belonging to interval
netfilter: nft_set_rbtree: validate open interval overlap
include/net/netfilter/nf_tables.h | 4 +
net/netfilter/nf_tables_api.c | 26 +++-
net/netfilter/nft_set_rbtree.c | 225 ++++++++++++++++++++++++++++--
3 files changed, 243 insertions(+), 12 deletions(-)
--
2.47.3
next reply other threads:[~2026-01-28 1:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-28 1:42 Pablo Neira Ayuso [this message]
2026-01-28 1:42 ` [PATCH nf-next 1/4] netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null interval Pablo Neira Ayuso
2026-01-28 1:42 ` [PATCH nf-next 2/4] netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Pablo Neira Ayuso
2026-01-28 1:42 ` [PATCH nf-next 3/4] netfilter: nft_set_rbtree: validate element belonging to interval Pablo Neira Ayuso
2026-01-28 1:42 ` [PATCH nf-next 4/4] netfilter: nft_set_rbtree: validate open interval overlap Pablo Neira Ayuso
2026-01-30 12:34 ` Florian Westphal
2026-01-28 15:45 ` [PATCH nf-next 0/4] nf_tables: complete interval overlap detection Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260128014251.754512-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox