Fix: NFT_DYNSET_F_EXPR not supported for kernels < 5.11-rc3 #276
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@turekt As the original contributor of the dynset code, can you take a look at this PR please? Thank you. |
|
Hi @stapelberg and @Ignatella, this is a known issue previously discussed in #215. I have checked the original code and it seems that NFT_DYNSET_F_EXPR flag is set only when multiple expressions are used in dynset (see https://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=036a1eb3304995e4e000c552b9dfd33b1073ddb6#n1566) so this PR makes sense. Note that this will fix support for single expressions on older kernels but multiple expressions on older kernels will remain unsupported as NFT_DYNSET_F_EXPR flag should not be omitted for dynsets with multiple expressions. LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi!
We noticed that
NFT_DYNSET_F_EXPRflag added in v5.11-rc3 is also used with kernels which don't support NFTA_DYNSET_EXPRESSIONS (<v5.11-rc1). The flag was added in the patchset not to fail silently.The described behavior causes error for older kernels, what this contribution aims to fix.