From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FC4CC433F5 for ; Mon, 10 Jan 2022 17:30:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237945AbiAJRaa (ORCPT ); Mon, 10 Jan 2022 12:30:30 -0500 Received: from mail.netfilter.org ([217.70.188.207]:44240 "EHLO mail.netfilter.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237928AbiAJRa2 (ORCPT ); Mon, 10 Jan 2022 12:30:28 -0500 Received: from netfilter.org (unknown [78.30.32.163]) by mail.netfilter.org (Postfix) with ESMTPSA id A600F63F5A; Mon, 10 Jan 2022 18:27:37 +0100 (CET) Date: Mon, 10 Jan 2022 18:30:16 +0100 From: Pablo Neira Ayuso To: Florian Westphal Cc: netfilter-devel Subject: Re: nft -f fails to restore ruleset listing with cetain dynamic set types Message-ID: References: <20220110152820.GE317@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220110152820.GE317@breakpoint.cc> Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org On Mon, Jan 10, 2022 at 04:28:20PM +0100, Florian Westphal wrote: > I was given this reproducer: > > ---------------- > #!/bin/bash -x > nft flush ruleset > > nft add table ip filter > nft add chain ip filter output { type filter hook output priority 0 \; } > nft add set ip filter black-list '{type ipv4_addr; flags dynamic; }' > nft add rule ip filter output oifname lo meta l4proto udp update @black-list { ip daddr } counter > nft list ruleset |tee ruleset > > nft -f ruleset # success > nft flush ruleset > nft list ruleset > sleep 1 > nft -f ruleset # failed > > ----------- > > The ruleset generated by 'nft list ruleset' > cannot be restored. > > Ruleset looks like this: > > table ip filter { > set black-list { > type ipv4_addr > size 65535 > } > > chain output { > type filter hook output priority filter; policy accept; > oifname "lo" meta l4proto udp update @black-list { ip daddr } counter packets 0 bytes 0 > } > } > > Reason for the failure on restore is that the set is created with 'size > 65536' but no 'dynamic' flag. > > This causes a failure because the kernel picks the 'hash' set that > lacks the update() function. > > The initial commands work because lack of 'size' picks the rhash > backend, so the ->update works since the check for the timeout flag was > removed in commit "netfilter: nft_dynset: relax superfluous check on set > updates". > > First restore works because the set is not created anew, so this is > still 'rhash' backend. > > Second restore fails because 'hash' is chosen. > > Workaround is to edit the ruleset file to add 'flags dynamic' or 'flags > timeout', or both. > > Any suggestions on how to fix this? Could you set on the dynamic flag from the evaluation path? If there is a rule with the set statement that uses the set, then turn on this dynamic flag.