lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <efbf5943-f136-4330-b896-d6b7a2d02796@kernel.org>
Date: Wed, 23 Oct 2024 16:01:29 +0200
From: Matthieu Baerts <matttbe@...nel.org>
To: Ilya Katsnelson <me@...ti.me>, Pablo Neira Ayuso <pablo@...filter.org>,
 Jozsef Kadlecsik <kadlec@...filter.org>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Florian Westphal <fw@...len.de>, Sasha Levin <sashal@...nel.org>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfliter: xtables: fix typo causing some targets to not
 load on IPv6

Hi Ilya,

(+ add people/ML back in cc)

On 23/10/2024 14:11, Ilya K wrote:
>> Hi Ilya,
>>
>> On 18/10/2024 17:45, Ilya Katsnelson wrote:
>>> These were added with the wrong family in 4cdc55e, which seems
>>> to just have been a typo, but now ip6tables rules with --set-mark
>>> don't work anymore, which is pretty bad.
>>
>> Funny, with this patch, now the v4 version doesn't work any more, which
>> is pretty bad as well ;-)
>>
>> More seriously, it looks like your patch broke MPTCP selftests:
>>
>>
>> https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout
>>
>> Two tests are now failing, because they can no longer add a mark:
>>
>>> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1
>>> Warning: Extension MARK revision 0 not supported, missing kernel module?
>>> iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
>>
>> Please see below:
>>
>>> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
>>> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
>>> --- a/net/netfilter/xt_NFLOG.c
>>> +++ b/net/netfilter/xt_NFLOG.c
>>> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
>>>  	{
>>>  		.name       = "NFLOG",
>>>  		.revision   = 0,
>>> -		.family     = NFPROTO_IPV4,
>>> +		.family     = NFPROTO_IPV6,
>>
>> Here, by setting the family to v6 instead of v4, we now have two targets
>> that are exactly the same, both for v6:
>>
>>>   67   │ static struct xt_target nflog_tg_reg[] __read_mostly = {
>>>   68   │     {
>>>   69   │         .name       = "NFLOG",
>>>   70   │         .revision   = 0,
>>>   71   │         .family     = NFPROTO_IPV6,  /* <== The line you modified */
>>>   72   │         .checkentry = nflog_tg_check,
>>>   73   │         .destroy    = nflog_tg_destroy,
>>>   74   │         .target     = nflog_tg,
>>>   75   │         .targetsize = sizeof(struct xt_nflog_info),
>>>   76   │         .me         = THIS_MODULE,
>>>   77   │     },
>>>   78   │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
>>>   79   │     {
>>>   80   │         .name       = "NFLOG",
>>>   81   │         .revision   = 0,
>>>   82   │         .family     = NFPROTO_IPV6,  /* <== v6 was already there */
>>>   83   │         .checkentry = nflog_tg_check,
>>>   84   │         .destroy    = nflog_tg_destroy,
>>>   85   │         .target     = nflog_tg,
>>>   86   │         .targetsize = sizeof(struct xt_nflog_info),
>>>   87   │         .me         = THIS_MODULE,
>>>   88   │     },
>>>   89   │ #endif
>>>   90   │ };
>>
>> Are you sure you didn't have the bug you mentioned because your kernel
>> config doesn't have CONFIG_IP6_NF_IPTABLES?
>>
>>>  		.checkentry = nflog_tg_check,
>>>  		.destroy    = nflog_tg_destroy,
>>>  		.target     = nflog_tg,
>>> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
>>> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
>>> --- a/net/netfilter/xt_mark.c
>>> +++ b/net/netfilter/xt_mark.c
>>> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
>>>  	{
>>>  		.name           = "MARK",
>>>  		.revision       = 2,
>>> -		.family         = NFPROTO_IPV4,
>>> +		.family         = NFPROTO_IPV6,
>>
>> Same here.
>>
>> So I think this patch is not needed, right?
>>
>>>  		.target         = mark_tg,
>>>  		.targetsize     = sizeof(struct xt_mark_tginfo2),
>>>  		.me             = THIS_MODULE,
>>>
>>> ---
>>> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
>>> change-id: 20241018-xtables-typos-dfeadb8b122d
>>>
>>> Best regards,
>>
>> Cheers,
>> Matt
> 
> The patch never got merged, but Pablo's very similar patch did. Are you
> by any chance applying my changes on top of a tree that also contains
> his?

Thank you for this reply!

Oh, sorry, I see the issue now, just an unlucky situation:

- On one hand, and probably because the issue was visible on stable too,
Pablo sent a new version changing the author and the title ("not to
load" vs "to not load") [1]. Because of that, the bot didn't mark the
previous version as superseded.

- On the other hand, the CI tried to apply all the pending patches,
including this patch here: when git tried to apply this patch, it
managed to find the exact same context a bit before, and then modified
the wrong line [2].

The two combined resulted in the CI trying to validate a buggy patch not
doing what it was intended to do.

>From what I understood, Paolo is changing the status of [1] and even [3]
on Patchwork, and soon the CI will stop using the wrong patch.

[1]
https://patchwork.kernel.org/project/netdevbpf/patch/20241021094536.81487-3-pablo@netfilter.org/
[2]
https://github.com/linux-netdev/testing/commit/096e5d7e7d38271b6353ecd197e8ec00a01dbfd3
[3]
https://patchwork.kernel.org/project/netdevbpf/patch/20241018162517.39154-1-ignat@cloudflare.com/

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ