| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <efbf5943-f136-4330-b896-d6b7a2d02796@kernel.org>
Date: Wed, 23 Oct 2024 16:01:29 +0200
From: Matthieu Baerts <matttbe@...nel.org>
To: Ilya Katsnelson <me@...ti.me>, Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Florian Westphal <fw@...len.de>, Sasha Levin <sashal@...nel.org>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfliter: xtables: fix typo causing some targets to not
load on IPv6
Hi Ilya,
(+ add people/ML back in cc)
On 23/10/2024 14:11, Ilya K wrote:
>> Hi Ilya,
>>
>> On 18/10/2024 17:45, Ilya Katsnelson wrote:
>>> These were added with the wrong family in 4cdc55e, which seems
>>> to just have been a typo, but now ip6tables rules with --set-mark
>>> don't work anymore, which is pretty bad.
>>
>> Funny, with this patch, now the v4 version doesn't work any more, which
>> is pretty bad as well ;-)
>>
>> More seriously, it looks like your patch broke MPTCP selftests:
>>
>>
>> https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout
>>
>> Two tests are now failing, because they can no longer add a mark:
>>
>>> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1
>>> Warning: Extension MARK revision 0 not supported, missing kernel module?
>>> iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
>>
>> Please see below:
>>
>>> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
>>> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
>>> --- a/net/netfilter/xt_NFLOG.c
>>> +++ b/net/netfilter/xt_NFLOG.c
>>> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
>>> {
>>> .name = "NFLOG",
>>> .revision = 0,
>>> - .family = NFPROTO_IPV4,
>>> + .family = NFPROTO_IPV6,
>>
>> Here, by setting the family to v6 instead of v4, we now have two targets
>> that are exactly the same, both for v6:
>>
>>> 67 │ static struct xt_target nflog_tg_reg[] __read_mostly = {
>>> 68 │ {
>>> 69 │ .name = "NFLOG",
>>> 70 │ .revision = 0,
>>> 71 │ .family = NFPROTO_IPV6, /* <== The line you modified */
>>> 72 │ .checkentry = nflog_tg_check,
>>> 73 │ .destroy = nflog_tg_destroy,
>>> 74 │ .target = nflog_tg,
>>> 75 │ .targetsize = sizeof(struct xt_nflog_info),
>>> 76 │ .me = THIS_MODULE,
>>> 77 │ },
>>> 78 │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
>>> 79 │ {
>>> 80 │ .name = "NFLOG",
>>> 81 │ .revision = 0,
>>> 82 │ .family = NFPROTO_IPV6, /* <== v6 was already there */
>>> 83 │ .checkentry = nflog_tg_check,
>>> 84 │ .destroy = nflog_tg_destroy,
>>> 85 │ .target = nflog_tg,
>>> 86 │ .targetsize = sizeof(struct xt_nflog_info),
>>> 87 │ .me = THIS_MODULE,
>>> 88 │ },
>>> 89 │ #endif
>>> 90 │ };
>>
>> Are you sure you didn't have the bug you mentioned because your kernel
>> config doesn't have CONFIG_IP6_NF_IPTABLES?
>>
>>> .checkentry = nflog_tg_check,
>>> .destroy = nflog_tg_destroy,
>>> .target = nflog_tg,
>>> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
>>> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
>>> --- a/net/netfilter/xt_mark.c
>>> +++ b/net/netfilter/xt_mark.c
>>> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
>>> {
>>> .name = "MARK",
>>> .revision = 2,
>>> - .family = NFPROTO_IPV4,
>>> + .family = NFPROTO_IPV6,
>>
>> Same here.
>>
>> So I think this patch is not needed, right?
>>
>>> .target = mark_tg,
>>> .targetsize = sizeof(struct xt_mark_tginfo2),
>>> .me = THIS_MODULE,
>>>
>>> ---
>>> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
>>> change-id: 20241018-xtables-typos-dfeadb8b122d
>>>
>>> Best regards,
>>
>> Cheers,
>> Matt
>
> The patch never got merged, but Pablo's very similar patch did. Are you
> by any chance applying my changes on top of a tree that also contains
> his?
Thank you for this reply!
Oh, sorry, I see the issue now, just an unlucky situation:
- On one hand, and probably because the issue was visible on stable too,
Pablo sent a new version changing the author and the title ("not to
load" vs "to not load") [1]. Because of that, the bot didn't mark the
previous version as superseded.
- On the other hand, the CI tried to apply all the pending patches,
including this patch here: when git tried to apply this patch, it
managed to find the exact same context a bit before, and then modified
the wrong line [2].
The two combined resulted in the CI trying to validate a buggy patch not
doing what it was intended to do.
>From what I understood, Paolo is changing the status of [1] and even [3]
on Patchwork, and soon the CI will stop using the wrong patch.
[1]
https://patchwork.kernel.org/project/netdevbpf/patch/20241021094536.81487-3-pablo@netfilter.org/
[2]
https://github.com/linux-netdev/testing/commit/096e5d7e7d38271b6353ecd197e8ec00a01dbfd3
[3]
https://patchwork.kernel.org/project/netdevbpf/patch/20241018162517.39154-1-ignat@cloudflare.com/
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
Powered by blists - more mailing lists