[Bug 1742] New: using nfqueue breaks SCTP connection (tracking)

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Apr 4 00:14:46 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1742

            Bug ID: 1742
           Summary: using nfqueue breaks SCTP connection (tracking)
           Product: libnetfilter_queue
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: libnetfilter_queue
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: antonio.ojea.garcia at gmail.com

I'm using a golang library for interacting with nfqueue, it is a very simple
logic, I add the following rule

table inet kube-netpol {
        comment "rules for kubernetes NetworkPolicy"
        chain forward {
                type filter hook forward priority filter - 5; policy accept;
                ct state new queue to 100
        }
}

and in userspace I process the packet to emit a verdict.

Everything works fine with TCP and UDP, but when using SCTP I can see the
packet its modified and breaks the establishment of the connection, more
details in https://github.com/aojea/kube-netpol/issues/8

Once I remove the `nfqueue` rule the SCTP connection is established correctly.

I triple checked the userspace program accepts the packet and removing the
nfqueue rules makes the connection work.

I've added a trace (by the way kudos for the tracing functionality is really a
great improvement) and I can see how the packet is dropped in a rule that drops
connections with invalid state

trace id 0329b184 ip filter trace_chain packet: iif "eth0" ether saddr
02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr
10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport
47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3
trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set
1 (verdict continue)
trace id 0329b184 ip filter trace_chain verdict continue
trace id 0329b184 ip filter trace_chain policy accept
trace id 0329b184 inet kube-netpol forward packet: iif "eth0" oif
"vetha2b65671" ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip
saddr 10.244.1.47 ip daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 62 ip id
0 ip protocol sctp ip length 68 sctp sport 47261 sctp dport 8080 sctp vtag 0
@th,96,64 0x10000240486b6e3
trace id 0329b184 inet kube-netpol forward verdict continue
trace id 0329b184 inet kube-netpol forward policy accept
trace id 0329b184 ip filter FORWARD packet: iif "eth0" oif "vetha2b65671" ether
saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip
daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 62 ip id 0 ip length 68 sctp
sport 47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3
trace id 0329b184 ip filter FORWARD rule  counter packets 5735 bytes 2667239
jump KUBE-FORWARD (verdict jump KUBE-FORWARD)
trace id 0329b184 ip filter KUBE-FORWARD rule ct state invalid counter packets
8 bytes 544 drop (verdict drop)

if I remove the nfqueue rule the packet goes through

trace id 058bdf29 ip filter trace_chain packet: iif "eth0" ether saddr
02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr
10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport
33348 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000244fde5e72
trace id 058bdf29 ip filter trace_chain rule ip protocol sctp meta nftrace set
1 (verdict continue)
trace id 058bdf29 ip filter trace_chain verdict continue
trace id 058bdf29 ip filter trace_chain policy accept
trace id 058bdf29 ip nat PREROUTING packet: iif "eth0" ether saddr
02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr
10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport
33348 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000244fde5e72
trace id 058bdf29 ip nat PREROUTING rule  counter packets 17924 bytes 1098260
jump KUBE-SERVICES (verdict jump KUBE-SERVICES)
trace id 058bdf29 ip nat KUBE-SERVICES verdict continue
trace id 058bdf29 ip nat PREROUTING verdict continue
trace id 058bdf29 ip nat PREROUTING policy accept
trace id 058bdf29 ip filter FORWARD packet: iif "eth0" oif "vetha2b65671" ether
saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip
daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 62 ip id 0 ip length 68 sctp
sport 33348 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000244fde5e72
trace id 058bdf29 ip filter FORWARD rule ct state new  counter packets 2894
bytes 195836 jump KUBE-PROXY-FIREWALL (verdict jump KUBE-PROXY-FIREWALL)
trace id 058bdf29 ip filter KUBE-PROXY-FIREWALL verdict continue
trace id 058bdf29 ip filter FORWARD rule  counter packets 5800 bytes 2671691
jump KUBE-FORWARD (verdict jump KUBE-FORWARD)
trace id 058bdf29 ip filter KUBE-FORWARD verdict continue
trace id 058bdf29 ip filter FORWARD rule ct state new  counter packets 2832
bytes 191716 jump KUBE-SERVICES (verdict jump KUBE-SERVICES)
trace id 058bdf29 ip filter KUBE-SERVICES verdict continue
trace id 058bdf29 ip filter FORWARD rule ct state new  counter packets 2826
bytes 191324 jump KUBE-EXTERNAL-SERVICES (verdict jump KUBE-EXTERNAL-SERVICES)
trace id 058bdf29 ip filter KUBE-EXTERNAL-SERVICES verdict continue
trace id 058bdf29 ip filter FORWARD verdict continue
trace id 058bdf29 ip filter FORWARD policy accept
trace id 058bdf29 ip nat POSTROUTING packet: iif "eth0" oif "vetha2b65671"
ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr
10.244.1.47 ip daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 62 ip id 0 ip
length 68 sctp sport 33348 sctp dport 8080 sctp vtag 0 @th,96,64
0x10000244fde5e72
trace id 058bdf29 ip nat POSTROUTING rule  counter packets 5868 bytes 374884
jump KUBE-POSTROUTING (verdict jump KUBE-POSTROUTING)
trace id 058bdf29 ip nat KUBE-POSTROUTING verdict return
trace id 058bdf29 ip nat POSTROUTING rule fib daddr type != local  counter
packets 2834 bytes 191394 jump KIND-MASQ-AGENT (verdict jump KIND-MASQ-AGENT)
trace id 058bdf29 ip nat KIND-MASQ-AGENT verdict return
trace id 058bdf29 ip nat POSTROUTING verdict continue
trace id 058bdf29 ip nat POSTROUTING policy accept

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240403/1ac98ca4/attachment.html>

More information about the netfilter-buglog mailing list