Commit 7711f4bb authored Dec 04, 2025 by Florian Westphal

netfilter: nft_set_pipapo: fix range overlap detection



set->klen has to be used, not sizeof().  The latter only compares a
single register but a full check of the entire key is needed.

Example:
table ip t {
        map s {
                typeof iifname . ip saddr : verdict
                flags interval
        }
}

nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected
nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected
nft add element t s '{ "lo" . 10.0.0.0/8 : drop }' # bug: no error

The 3rd 'add element' should be rejected via -ENOTEMPTY, not -EEXIST,
so userspace / nft can report an error to the user.

The latter is only correct for the 2nd case (re-add of existing element).

As-is, userspace is told that the command was successful, but no elements were
added.

After this patch, 3rd command gives:
Error: Could not process rule: File exists
add element t s { "lo" . 127.0.0.0/8 . "lo"  : drop }
                  ^^^^^^^^^^^^^^^^^^^^^^^^^

Fixes: 0eb4b5ee ("netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion")
Signed-off-by: Florian Westphal <fw@strlen.de>

parent dbf8fe85

net/netfilter/nft_set_pipapo.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1317,8 +1317,8 @@ static int nft_pipapo_insert(const struct net net, const struct nft_set set,
		else
		dup_end = dup_key;

		if (!memcmp(start, dup_key->data, sizeof(*dup_key->data)) &&
		!memcmp(end, dup_end->data, sizeof(*dup_end->data))) {
		if (!memcmp(start, dup_key->data, set->klen) &&
		!memcmp(end, dup_end->data, set->klen)) {
		*elem_priv = &dup->priv;
		return -EEXIST;
		}