[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230912114729.EFBC26320998@dd20004.kasserver.com>
Date: Tue, 12 Sep 2023 13:47:29 +0200 (CEST)
From: "Timo Sigurdsson" <public_timo.s@...entcreek.de>
To: regressions@...ts.linux.dev, fw@...len.de
Cc: pablo@...filter.org, kadlec@...filter.org, fw@...len.de,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org,
sashal@...nel.org, carnil@...ian.org, 1051592@...s.debian.org
Subject: Re: Regression: Commit "netfilter: nf_tables: disallow rule addition
to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable
Hi,
Florian Westphal schrieb am 12.09.2023 12:27 (GMT +02:00):
> Linux regression tracking (Thorsten Leemhuis) <regressions@...mhuis.info>
> wrote:
>> On 12.09.23 00:57, Pablo Neira Ayuso wrote:
>> > Userspace nftables v1.0.6 generates incorrect bytecode that hits a new
>> > kernel check that rejects adding rules to bound chains. The incorrect
>> > bytecode adds the chain binding, attach it to the rule and it adds the
>> > rules to the chain binding. I have cherry-picked these three patches
>> > for nftables v1.0.6 userspace and your ruleset restores fine.
>> > [...]
>>
>> Hmmmm. Well, this sounds like a kernel regression to me that normally
>> should be dealt with on the kernel level, as users after updating the
>> kernel should never have to update any userspace stuff to continue what
>> they have been doing before the kernel update.
>
> This is a combo of a userspace bug and this new sanity check that
> rejects the incorrect ordering (adding rules to the already-bound
> anonymous chain).
>
Out of curiosity, did the incorrect ordering or bytecode from the older userspace components actually lead to a wrong representation of the rules in the kernel or did the rules still work despite all that?
Thanks,
Timo
Powered by blists - more mailing lists