[Bug 1478] New: Concatenations with ct status do not match

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Nov 1 19:06:52 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1478

            Bug ID: 1478
           Summary: Concatenations with ct status do not match
           Product: netfilter/iptables
           Version: unspecified
          Hardware: arm
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: c-d.hailfinger.devel.2006 at gmx.net

Using "ct status" as part of a concatenation causes a rule to fail matching. It
doesn't matter if the concatenation has "ct status" at the beginning or the
end, the failure will happen regardless of order.

Using "ct status" in a non-concatenated combination works. See below for the
packet counters of a single IPv4 SSH connection to port 2222 which gets
redirected to port 22. This is especially visible when comparing the following
two rules, of which the variant with concatenation never matches:

ct status dnat ct status dnat counter
ct status . ct status { dnat . dnat } counter

Steps to reproduce the issue:
Load the ruleset below. Have SSHD running on local port 22. Connect from
another machine with ssh -p 2222 targetip
Note that the counters in the filter table for concatenations with "ct status"
do not increase, whereas the other counters increase.


Versions:
Debian 10, armhf (Raspberry Pi OS), with backports
Linux myhostname 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
GNU/Linux
libmnl0 1.0.4-2
libnetfilter-conntrack3 1.0.7-1
libnftnl11 1.1.7-1~bpo10+1
libnftables1 0.9.6-1~bpo10+1
nftables 0.9.6-1~bpo10+1

Ruleset:
$ nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ct state established,related accept comment "Accept traffic
originated from us"
                tcp dport . ct status { 22 . dnat } counter packets 0 bytes 0
                ct status . tcp dport { dnat . 22 } counter packets 0 bytes 0
                tcp dport 22 ct status dnat counter packets 1 bytes 60
                ct status dnat tcp dport 22 counter packets 1 bytes 60
                tcp dport 22 tcp dport 22 counter packets 1 bytes 60
                ct status dnat ct status dnat counter packets 1 bytes 60
                tcp dport . tcp dport { 22 . 22 } counter packets 1 bytes 60
                ct status . ct status { dnat . dnat } counter packets 0 bytes 0
                tcp dport 22 counter packets 1 bytes 60
                ct status dnat counter packets 1 bytes 60
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table inet nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                tcp dport 2222 counter packets 1 bytes 60
                tcp dport 22 counter packets 0 bytes 0
                tcp dport 2222 redirect to :22
        }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201101/a0290c96/attachment.html>

More information about the netfilter-buglog mailing list