| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fde8d1b6-9812-418c-8ba4-ae2384251ee7@kernel.org>
Date: Wed, 23 Oct 2024 11:56:18 +0200
From: Matthieu Baerts <matttbe@...nel.org>
To: Ilya Katsnelson <me@...ti.me>, Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Florian Westphal <fw@...len.de>, Sasha Levin <sashal@...nel.org>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfliter: xtables: fix typo causing some targets to not
load on IPv6
Hi Ilya,
On 18/10/2024 17:45, Ilya Katsnelson wrote:
> These were added with the wrong family in 4cdc55e, which seems
> to just have been a typo, but now ip6tables rules with --set-mark
> don't work anymore, which is pretty bad.
Funny, with this patch, now the v4 version doesn't work any more, which
is pretty bad as well ;-)
More seriously, it looks like your patch broke MPTCP selftests:
https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout
Two tests are now failing, because they can no longer add a mark:
> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1
> Warning: Extension MARK revision 0 not supported, missing kernel module?
> iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
Please see below:
> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
> --- a/net/netfilter/xt_NFLOG.c
> +++ b/net/netfilter/xt_NFLOG.c
> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
> {
> .name = "NFLOG",
> .revision = 0,
> - .family = NFPROTO_IPV4,
> + .family = NFPROTO_IPV6,
Here, by setting the family to v6 instead of v4, we now have two targets
that are exactly the same, both for v6:
> 67 │ static struct xt_target nflog_tg_reg[] __read_mostly = {
> 68 │ {
> 69 │ .name = "NFLOG",
> 70 │ .revision = 0,
> 71 │ .family = NFPROTO_IPV6, /* <== The line you modified */
> 72 │ .checkentry = nflog_tg_check,
> 73 │ .destroy = nflog_tg_destroy,
> 74 │ .target = nflog_tg,
> 75 │ .targetsize = sizeof(struct xt_nflog_info),
> 76 │ .me = THIS_MODULE,
> 77 │ },
> 78 │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> 79 │ {
> 80 │ .name = "NFLOG",
> 81 │ .revision = 0,
> 82 │ .family = NFPROTO_IPV6, /* <== v6 was already there */
> 83 │ .checkentry = nflog_tg_check,
> 84 │ .destroy = nflog_tg_destroy,
> 85 │ .target = nflog_tg,
> 86 │ .targetsize = sizeof(struct xt_nflog_info),
> 87 │ .me = THIS_MODULE,
> 88 │ },
> 89 │ #endif
> 90 │ };
Are you sure you didn't have the bug you mentioned because your kernel
config doesn't have CONFIG_IP6_NF_IPTABLES?
> .checkentry = nflog_tg_check,
> .destroy = nflog_tg_destroy,
> .target = nflog_tg,
> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
> --- a/net/netfilter/xt_mark.c
> +++ b/net/netfilter/xt_mark.c
> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
> {
> .name = "MARK",
> .revision = 2,
> - .family = NFPROTO_IPV4,
> + .family = NFPROTO_IPV6,
Same here.
So I think this patch is not needed, right?
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
>
> ---
> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
> change-id: 20241018-xtables-typos-dfeadb8b122d
>
> Best regards,
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
Powered by blists - more mailing lists