Hi,
On Wed, Jun 03, 2020 at 01:50:11AM +0200, Stefano Brivio wrote:
While checking the validity of insertion in __nft_rbtree_insert(), we currently ignore conflicting elements and intervals only if they are not active within the next generation.
Yes, it seems I missed insert path entirely when adding nft_set_elem_expired() checks. Assuming that it is fine that expired elements block insertions until gc-interval has passed, I missed the chance for one end of an interval to be accepted while the other is not.
Thanks for clearing up my mess!
[...]
Reported-by: Mike Dillinger miked@softtalker.com Cc: stable@vger.kernel.org # 5.6.x Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion") Signed-off-by: Stefano Brivio sbrivio@redhat.com
Acked-by: Phil Sutter phil@nwl.cc
Cheers, Phil