expires larger than timeout causes error

expires larger than timeout causes error

[lilydjwg]

I have an IPv4 set with timeout 2d, but update its elements to 4d when
a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
E.g. the following snippet gives an error when importing:

table inet blocker {
        set spam_ips {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 2d
                elements = { 1.2.3.4 expires 3d }
        }
}

a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
                elements = { 1.2.3.4 expires 3d }
                             ^^^^^^^

kernel 6.10.6 worked just fine. nftables cli v1.1.1.

Despite I can't import the set, existing elements can still be updated
to timeout more that 2d.

A new bug? Or a new limitation?

-- 
Best regards,
lilydjwg

Re: expires larger than timeout causes error

[Harshit Mogalapalli]

Hi,

On 29/12/24 15:30, lilydjwg wrote:
> I have an IPv4 set with timeout 2d, but update its elements to 4d when
> a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
> E.g. the following snippet gives an error when importing:
> 
> table inet blocker {
>          set spam_ips {
>                  type ipv4_addr
>                  size 65535
>                  flags dynamic,timeout
>                  timeout 2d
>                  elements = { 1.2.3.4 expires 3d }
>          }
> }
> 
> a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
>                  elements = { 1.2.3.4 expires 3d }
>                               ^^^^^^^
> 

Note: I looked through the commits and this looks like a relevant commit:


commit c0f38a8c60174368aed1d0f9965d733195f15033
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Sep 3 01:06:58 2024 +0200

     netfilter: nf_tables: reject expiration higher than timeout

     Report ERANGE to userspace if user specifies an expiration larger than
     the timeout.

     Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger 
than 23 days")
     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index da75bc1de466..6c0c6f8a08a8 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6930,6 +6930,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, 
struct nft_set *set,
                                             &expiration);
                 if (err)
                         return err;
+
+               if (expiration > timeout)
+                       return -ERANGE;
         }

         if (nla[NFTA_SET_ELEM_EXPR]) {



Thanks,
Harshit

> kernel 6.10.6 worked just fine. nftables cli v1.1.1.
> 
> Despite I can't import the set, existing elements can still be updated
> to timeout more that 2d.
> 
> A new bug? Or a new limitation?
> 

Re: expires larger than timeout causes error

[Reindl Harald]

Am 29.12.24 um 11:00 schrieb lilydjwg:
> I have an IPv4 set with timeout 2d, but update its elements to 4d when
> a rule matches

why?

the timeout of the set typically is there to not mangle around with it 
for entries at all - new entries start with the spüecified timeout of 
the set and that's it

Name: BLOCKED_DYNAMIC_PORTSCAN_IPV4
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 45 bucketsize 12 
initval 0x040fb53b
Size in memory: 141688
Number of entries: 408

Members:
1.170.27.129 timeout 27
1.225.62.211 timeout 24
3.143.134.160 timeout 27
5.135.238.157 timeout 6
5.138.165.193 timeout 6
5.180.181.217 timeout 1

Re: expires larger than timeout causes error

[lilydjwg]

On Sun, Dec 29, 2024 at 06:01:48PM +0100, Reindl Harald wrote:
> 
> Am 29.12.24 um 11:00 schrieb lilydjwg:
>> I have an IPv4 set with timeout 2d, but update its elements to 4d when
>> a rule matches
> 
> why?

I just found it. With the timeout seperated, I could distinguish
frequent and active IPs from inactive / once.

Not very important to me. So I'll just stop doing so as it is
obviously not supported.

-- 
Best regards,
lilydjwg

Re: expires larger than timeout causes error

[Reindl Harald]

Am 30.12.24 um 16:19 schrieb lilydjwg:
> On Sun, Dec 29, 2024 at 06:01:48PM +0100, Reindl Harald wrote:
>>
>> Am 29.12.24 um 11:00 schrieb lilydjwg:
>>> I have an IPv4 set with timeout 2d, but update its elements to 4d when
>>> a rule matches
>>
>> why?
> 
> I just found it. With the timeout seperated, I could distinguish
> frequent and active IPs from inactive / once
you can't anyways that way - when the remaining value is 1 day you have 
no clue if it started with 2 or 4

Re: expires larger than timeout causes error

[Kerin Millar]

On Mon, 30 Dec 2024, at 3:40 PM, Reindl Harald wrote:
> Am 30.12.24 um 16:19 schrieb lilydjwg:
>> On Sun, Dec 29, 2024 at 06:01:48PM +0100, Reindl Harald wrote:
>>>
>>> Am 29.12.24 um 11:00 schrieb lilydjwg:
>>>> I have an IPv4 set with timeout 2d, but update its elements to 4d when
>>>> a rule matches
>>>
>>> why?
>> 
>> I just found it. With the timeout seperated, I could distinguish
>> frequent and active IPs from inactive / once
> you can't anyways that way - when the remaining value is 1 day you have 
> no clue if it started with 2 or 4

They can.

# nft 'table ip t { set s { type ipv4_addr; timeout 2d; }; }'
# nft 'add element ip t s { 1.2.3.4 }'
# nft 'add element ip t s { 1.2.3.5 timeout 4d }'
# nft list set ip t s
table ip t {
        set s {
                type ipv4_addr
                timeout 2d
                elements = { 1.2.3.4 expires 1d23h59m54s923ms, 1.2.3.5 timeout 4d expires 3d23h59m58s323ms }
        }
}

-- 
Kerin Millar

Re: expires larger than timeout causes error

[Pablo Neira Ayuso]

On Sun, Dec 29, 2024 at 06:00:36PM +0800, lilydjwg wrote:
> I have an IPv4 set with timeout 2d, but update its elements to 4d when
> a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
> E.g. the following snippet gives an error when importing:
> 
> table inet blocker {
>         set spam_ips {
>                 type ipv4_addr
>                 size 65535
>                 flags dynamic,timeout
>                 timeout 2d
>                 elements = { 1.2.3.4 expires 3d }
>         }
> }
> 
> a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
>                 elements = { 1.2.3.4 expires 3d }
>                              ^^^^^^^
> 
> kernel 6.10.6 worked just fine. nftables cli v1.1.1.
> 
> Despite I can't import the set, existing elements can still be updated
> to timeout more that 2d.
> 
> A new bug? Or a new limitation?

You have to use _timeout_ to override the default set timeout policy
for your elements.

Thanks

Re: expires larger than timeout causes error

[Kerin Millar]

On Mon, 30 Dec 2024, at 10:57 AM, Pablo Neira Ayuso wrote:
> On Sun, Dec 29, 2024 at 06:00:36PM +0800, lilydjwg wrote:
>> I have an IPv4 set with timeout 2d, but update its elements to 4d when
>> a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
>> E.g. the following snippet gives an error when importing:
>> 
>> table inet blocker {
>>         set spam_ips {
>>                 type ipv4_addr
>>                 size 65535
>>                 flags dynamic,timeout
>>                 timeout 2d
>>                 elements = { 1.2.3.4 expires 3d }
>>         }
>> }
>> 
>> a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
>>                 elements = { 1.2.3.4 expires 3d }
>>                              ^^^^^^^
>> 
>> kernel 6.10.6 worked just fine. nftables cli v1.1.1.
>> 
>> Despite I can't import the set, existing elements can still be updated
>> to timeout more that 2d.
>> 
>> A new bug? Or a new limitation?
>
> You have to use _timeout_ to override the default set timeout policy
> for your elements.

It would be more intuitive were the circumflex characters to indicate "expires 3d" or "3d" as being at fault.

-- 
Kerin Millar

Re: expires larger than timeout causes error

[lilydjwg]

On Mon, Dec 30, 2024 at 11:57:02AM +0100, Pablo Neira Ayuso wrote:
> [...]
> 
> You have to use _timeout_ to override the default set timeout policy
> for your elements.

The "expires" comes from `nft list ruleset`. I tried to import
a previously exported ruleset, and it failed (and the circumflex
characters pointed to somewhere confusing).

"expires" works, as long as it is no longer than the default timeout.

-- 
Best regards,
lilydjwg