From: Jeremy Sowden <jeremy@azazel.net>
To: Netfilter Devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nft 0/2] Fix listing of sets containing unclosed address prefix intervals
Date: Sun, 18 Sep 2022 22:02:13 +0100 [thread overview]
Message-ID: <YyeHVcD9xwO2hc/B@azazel.net> (raw)
In-Reply-To: <20220918172212.3681553-1-jeremy@azazel.net>
[-- Attachment #1: Type: text/plain, Size: 2283 bytes --]
On 2022-09-18, at 18:22:10 +0100, Jeremy Sowden wrote:
> The code which decomposes unclosed intervals in sets doesn't check for
> prefixes. This means that a set containing such a prefix (e.g.,
> ff00::/8 or 192.0.0.0/2) is incorrectly listed:
The original Debian bug-report only covers the IPv6 case:
> # nft list table ip6 t
> table ip6 t {
> chain c {
> ip6 saddr ff00::/8 drop
> ip6 saddr fe80::/10 drop
> ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
> }
> }
To the reporter that range looked like a garbled address with a negative
hex number embedded in it, and when I read the report it looked like
that to me too. Inevitably, it was only after I sent this patch-set
that I finally parsed it correctly as the range ff00:: to
ffff:ffff:...:ffff:ffff, largely because of the IPv4 case:
> # nft list table ip t
> table ip t {
> chain c {
> ip saddr 192.0.0.0/2 drop
> ip saddr 10.0.0.0/8 drop
> ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
> }
> }
which, to me at least, is easier to read.
The reason that I bring this up is that I should probably have phrased
the commit messages differently and avoided the use of "correct" and
"incorrect" if I hadn't misparsed the IPv6 range, like the original
reporter, since the ranges currently output are unexpected (and arguably
confusing), rather than wrong. I'm happy to reword the commits if you
would like.
J.
> This patch-set refactors `interval_map_decompose` to use the same code
> to handle unclosed intervals that is used for closed ones.
>
> Jeremy Sowden (2):
> segtree: refactor decomposition of closed intervals
> segtree: fix decomposition of unclosed intervals containing address
> prefixes
>
> src/segtree.c | 90 +++++++++----------
> .../sets/0071unclosed_prefix_interval_0 | 23 +++++
> .../dumps/0071unclosed_prefix_interval_0.nft | 19 ++++
> 3 files changed, 85 insertions(+), 47 deletions(-)
> create mode 100755 tests/shell/testcases/sets/0071unclosed_prefix_interval_0
> create mode 100644 tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
>
> --
> 2.35.1
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2022-09-18 21:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-18 17:22 [PATCH nft 0/2] Fix listing of sets containing unclosed address prefix intervals Jeremy Sowden
2022-09-18 17:22 ` [PATCH nft 1/2] segtree: refactor decomposition of closed intervals Jeremy Sowden
2022-09-18 17:22 ` [PATCH nft 2/2] segtree: fix decomposition of unclosed intervals containing address prefixes Jeremy Sowden
2022-09-21 11:48 ` Florian Westphal
2022-09-21 19:46 ` Jeremy Sowden
2022-09-21 20:26 ` Florian Westphal
2022-09-18 21:02 ` Jeremy Sowden [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyeHVcD9xwO2hc/B@azazel.net \
--to=jeremy@azazel.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).