lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <fde8d1b6-9812-418c-8ba4-ae2384251ee7@kernel.org>
Date: Wed, 23 Oct 2024 11:56:18 +0200
From: Matthieu Baerts <matttbe@...nel.org>
To: Ilya Katsnelson <me@...ti.me>, Pablo Neira Ayuso <pablo@...filter.org>,
 Jozsef Kadlecsik <kadlec@...filter.org>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Florian Westphal <fw@...len.de>, Sasha Levin <sashal@...nel.org>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfliter: xtables: fix typo causing some targets to not
 load on IPv6

Hi Ilya,

On 18/10/2024 17:45, Ilya Katsnelson wrote:
> These were added with the wrong family in 4cdc55e, which seems
> to just have been a typo, but now ip6tables rules with --set-mark
> don't work anymore, which is pretty bad.

Funny, with this patch, now the v4 version doesn't work any more, which
is pretty bad as well ;-)

More seriously, it looks like your patch broke MPTCP selftests:


https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout

Two tests are now failing, because they can no longer add a mark:

> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1
> Warning: Extension MARK revision 0 not supported, missing kernel module?
> iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT

Please see below:

> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
> --- a/net/netfilter/xt_NFLOG.c
> +++ b/net/netfilter/xt_NFLOG.c
> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
>  	{
>  		.name       = "NFLOG",
>  		.revision   = 0,
> -		.family     = NFPROTO_IPV4,
> +		.family     = NFPROTO_IPV6,

Here, by setting the family to v6 instead of v4, we now have two targets
that are exactly the same, both for v6:

>   67   │ static struct xt_target nflog_tg_reg[] __read_mostly = {
>   68   │     {
>   69   │         .name       = "NFLOG",
>   70   │         .revision   = 0,
>   71   │         .family     = NFPROTO_IPV6,  /* <== The line you modified */
>   72   │         .checkentry = nflog_tg_check,
>   73   │         .destroy    = nflog_tg_destroy,
>   74   │         .target     = nflog_tg,
>   75   │         .targetsize = sizeof(struct xt_nflog_info),
>   76   │         .me         = THIS_MODULE,
>   77   │     },
>   78   │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
>   79   │     {
>   80   │         .name       = "NFLOG",
>   81   │         .revision   = 0,
>   82   │         .family     = NFPROTO_IPV6,  /* <== v6 was already there */
>   83   │         .checkentry = nflog_tg_check,
>   84   │         .destroy    = nflog_tg_destroy,
>   85   │         .target     = nflog_tg,
>   86   │         .targetsize = sizeof(struct xt_nflog_info),
>   87   │         .me         = THIS_MODULE,
>   88   │     },
>   89   │ #endif
>   90   │ };

Are you sure you didn't have the bug you mentioned because your kernel
config doesn't have CONFIG_IP6_NF_IPTABLES?

>  		.checkentry = nflog_tg_check,
>  		.destroy    = nflog_tg_destroy,
>  		.target     = nflog_tg,
> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
> --- a/net/netfilter/xt_mark.c
> +++ b/net/netfilter/xt_mark.c
> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
>  	{
>  		.name           = "MARK",
>  		.revision       = 2,
> -		.family         = NFPROTO_IPV4,
> +		.family         = NFPROTO_IPV6,

Same here.

So I think this patch is not needed, right?

>  		.target         = mark_tg,
>  		.targetsize     = sizeof(struct xt_mark_tginfo2),
>  		.me             = THIS_MODULE,
> 
> ---
> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
> change-id: 20241018-xtables-typos-dfeadb8b122d
> 
> Best regards,

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ