| From: |
| Pablo Neira Ayuso <pablo-AT-netfilter.org> |
| To: |
| netfilter-devel-AT-vger.kernel.org |
| Subject: |
| [PATCH nf-next,v2 0/4] nf_tables: complete interval overlap detection |
| Date: |
| Mon, 02 Feb 2026 22:26:23 +0100 |
| Message-ID: |
| <20260202212627.946625-1-pablo@netfilter.org> |
| Archive-link: |
| Article |
Hi,
This is v2 of the series to complete interval overlap detection.
This iteration fixes an issue reported by Florian Westphal, which comes
from the following scenario:
[1] nft add element inet filter saddr6limit { fee1::dead : "tarpit-pps" }
[2] nft create element inet filter saddr6limit { fee1::dead : "tarpit-pps" }
[3] nft add element inet filter saddr6limit { c01a::/64 : "tarpit-bps" } => EEXIST
[2] fails because start element hits EEXIST due to the NLM_F_CREATE flag.
Then [3] finds the the start_rbe_cookie from the previous command, this bogusly
reports EEXIST because the annotate start element is considered an open interval.
This is fixed by annotating the batch timestamp, this allows to reset the
start_rbe_cookie in every new batch.
Pablo Neira Ayuso (4):
netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null interval
netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
netfilter: nft_set_rbtree: validate element belonging to interval
netfilter: nft_set_rbtree: validate open interval overlap
include/net/netfilter/nf_tables.h | 4 +
net/netfilter/nf_tables_api.c | 26 +++-
net/netfilter/nft_set_rbtree.c | 239 ++++++++++++++++++++++++++++--
3 files changed, 256 insertions(+), 13 deletions(-)
--
2.47.3
