* nft reset element crashes with error BUG: unhandled op 8
@ 2025-02-28 14:11 Michael Menge
2025-02-28 14:25 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Michael Menge @ 2025-02-28 14:11 UTC (permalink / raw)
To: netfilter
Hi,
i want to use a named set in nftables to to restrict outgoing http(s)
connections only to
update servers. As the update servers are behind CDNs with multiple
changing IPs i need
to automatically update the named set.
I discovered that "reset element" was added to the nft command which
should enable me to reset
the timeout without removing the IPs already in the set, and to keep a
clean list of IPs.
Fetch list of IPs, Call
"nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
"nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
(I know that i can use multiple IPs, in the add and reset element command)
In my test I triggered the following error:
===
[root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
[root@mail ~]# nft list set inet filter updatesv4
table inet filter {
set updatesv4 {
type ipv4_addr
flags interval,timeout
elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
}
}
[root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
BUG: unhandled op 8
nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
Aborted (core dumped)
[root@mail ~]#
===
I am using:
- AlmaLinux release 9.5 (Teal Serval)
- Kernel 5.14.0-503.23.2.el9_5.x86_64
- nftables-1.0.9-3.el9.x86_64
I could not find any related bugs in bugzilla.
Is this a know bug? already fixed in newer version?
Should this have worked?
How can i help to debug/fix this?
Kind Regards
Michael Menge
--
--------------------------------------------------------------------------------
Michael Menge Tel.: (49) 7071 / 29-70316
Universität Tübingen Fax.: (49) 7071 / 29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-02-28 14:11 nft reset element crashes with error BUG: unhandled op 8 Michael Menge
@ 2025-02-28 14:25 ` Florian Westphal
2025-02-28 15:16 ` Michael Menge
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Florian Westphal @ 2025-02-28 14:25 UTC (permalink / raw)
To: Michael Menge; +Cc: netfilter
Michael Menge <michael.menge@zdv.uni-tuebingen.de> wrote:
> i want to use a named set in nftables to to restrict outgoing http(s)
> connections only to
> update servers. As the update servers are behind CDNs with multiple changing
> IPs i need
> to automatically update the named set.
>
> I discovered that "reset element" was added to the nft command which should
> enable me to reset
> the timeout without removing the IPs already in the set, and to keep a clean
> list of IPs.
No, you can update existing element timeouts:
nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
reset will not affect the timeout, only quota or counters.
> Fetch list of IPs, Call
> "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
>
> (I know that i can use multiple IPs, in the add and reset element command)
>
> In my test I triggered the following error:
> ===
> [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> [root@mail ~]# nft list set inet filter updatesv4
> table inet filter {
> set updatesv4 {
> type ipv4_addr
> flags interval,timeout
> elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> }
> }
> [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> BUG: unhandled op 8
> nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> Aborted (core dumped)
This should be the right fix, I will submit this formally later:
diff --git a/src/evaluate.c b/src/evaluate.c
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
ctx->nft->debug_mask);
break;
case CMD_GET:
+ case CMD_RESET:
break;
default:
BUG("unhandled op %d\n", ctx->cmd->op);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-02-28 14:25 ` Florian Westphal
@ 2025-02-28 15:16 ` Michael Menge
2025-03-03 15:50 ` Michael Menge
2025-03-05 22:22 ` Pablo Neira Ayuso
2 siblings, 0 replies; 7+ messages in thread
From: Michael Menge @ 2025-02-28 15:16 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1416 bytes --]
Quoting Florian Westphal <fw@strlen.de>:
> Michael Menge <michael.menge@zdv.uni-tuebingen.de> wrote:
>> i want to use a named set in nftables to to restrict outgoing http(s)
>> connections only to
>> update servers. As the update servers are behind CDNs with multiple changing
>> IPs i need
>> to automatically update the named set.
>>
>> I discovered that "reset element" was added to the nft command which should
>> enable me to reset
>> the timeout without removing the IPs already in the set, and to keep a clean
>> list of IPs.
>
> No, you can update existing element timeouts:
> nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
even better. IMHO the wiki needs to be clarified
Quoting https://wiki.nftables.org/wiki-nftables/index.php/Element_timeout :
> timeout and expires parameters cannot be modified in this case. The
> element should be recreated again if you need to reset them.
Quoting Florian Westphal <fw@strlen.de>:
> This should be the right fix, I will submit this formally later:
thx
--
--------------------------------------------------------------------------------
Michael Menge Tel.: (49) 7071 / 29-70316
Universität Tübingen Fax.: (49) 7071 / 29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
[-- Attachment #2: S/MIME-Signatur --]
[-- Type: application/pkcs7-signature, Size: 6607 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-02-28 14:25 ` Florian Westphal
2025-02-28 15:16 ` Michael Menge
@ 2025-03-03 15:50 ` Michael Menge
2025-03-03 22:52 ` Pablo Neira Ayuso
2025-03-05 22:22 ` Pablo Neira Ayuso
2 siblings, 1 reply; 7+ messages in thread
From: Michael Menge @ 2025-03-03 15:50 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
Quoting Florian Westphal <fw@strlen.de>:
> No, you can update existing element timeouts:
> nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
I did test this, but it does nor reset the "expires" counter",
in which kernel/netfilter version was this implemented?
Kind Regards
Michael
--
--------------------------------------------------------------------------------
Michael Menge Tel.: (49) 7071 / 29-70316
Universität Tübingen Fax.: (49) 7071 / 29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-03-03 15:50 ` Michael Menge
@ 2025-03-03 22:52 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-03 22:52 UTC (permalink / raw)
To: Michael Menge; +Cc: Florian Westphal, netfilter
On Mon, Mar 03, 2025 at 04:50:22PM +0100, Michael Menge wrote:
>
> Quoting Florian Westphal <fw@strlen.de>:
>
>
> > No, you can update existing element timeouts:
> > nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
>
> I did test this, but it does nor reset the "expires" counter",
> in which kernel/netfilter version was this implemented?
Linux kernel >= 6.12
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-02-28 14:25 ` Florian Westphal
2025-02-28 15:16 ` Michael Menge
2025-03-03 15:50 ` Michael Menge
@ 2025-03-05 22:22 ` Pablo Neira Ayuso
2025-03-06 2:46 ` Florian Westphal
2 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-05 22:22 UTC (permalink / raw)
To: Florian Westphal; +Cc: Michael Menge, netfilter, netfilter-devel
On Fri, Feb 28, 2025 at 03:25:07PM +0100, Florian Westphal wrote:
> Michael Menge <michael.menge@zdv.uni-tuebingen.de> wrote:
> > i want to use a named set in nftables to to restrict outgoing http(s)
> > connections only to
> > update servers. As the update servers are behind CDNs with multiple changing
> > IPs i need
> > to automatically update the named set.
> >
> > I discovered that "reset element" was added to the nft command which should
> > enable me to reset
> > the timeout without removing the IPs already in the set, and to keep a clean
> > list of IPs.
>
> No, you can update existing element timeouts:
> nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
>
> reset will not affect the timeout, only quota or counters.
>
> > Fetch list of IPs, Call
> > "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> > "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
> >
> > (I know that i can use multiple IPs, in the add and reset element command)
> >
> > In my test I triggered the following error:
> > ===
> > [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> > [root@mail ~]# nft list set inet filter updatesv4
> > table inet filter {
> > set updatesv4 {
> > type ipv4_addr
> > flags interval,timeout
> > elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> > }
> > }
> > [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> > BUG: unhandled op 8
> > nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> > Aborted (core dumped)
>
> This should be the right fix, I will submit this formally later:
> diff --git a/src/evaluate.c b/src/evaluate.c
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
> ctx->nft->debug_mask);
> break;
> case CMD_GET:
> + case CMD_RESET:
> break;
> default:
> BUG("unhandled op %d\n", ctx->cmd->op);
Patch looks good, would you please merge this upstream?
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: nft reset element crashes with error BUG: unhandled op 8
2025-03-05 22:22 ` Pablo Neira Ayuso
@ 2025-03-06 2:46 ` Florian Westphal
0 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2025-03-06 2:46 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Florian Westphal, Michael Menge, netfilter, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > case CMD_GET:
> > + case CMD_RESET:
> > break;
> > default:
> > BUG("unhandled op %d\n", ctx->cmd->op);
>
> Patch looks good, would you please merge this upstream?
I found more issues while creating a test case for this,
patch will come with additional fixes and tests later today.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-03-06 2:46 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-28 14:11 nft reset element crashes with error BUG: unhandled op 8 Michael Menge
2025-02-28 14:25 ` Florian Westphal
2025-02-28 15:16 ` Michael Menge
2025-03-03 15:50 ` Michael Menge
2025-03-03 22:52 ` Pablo Neira Ayuso
2025-03-05 22:22 ` Pablo Neira Ayuso
2025-03-06 2:46 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).