<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ptables: nftables layer breaks ipsec/policy keyword"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1290">1290</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ptables: nftables layer breaks ipsec/policy keyword
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables over nftable
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>arturo@debian.org
</td>
</tr></table>
<p>
<div>
<pre>Forwarded from Debian <a href="https://bugs.debian.org/912977">https://bugs.debian.org/912977</a>
[...]
Some keywords are not supported (like the 'policy' keyword for
IPsec transforms). The bad part is, these rules are inserted
*without* the matches, which makes in some cases your firewall useless.
For ex:
# iptables -F
# iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o
eth0 -j ACCEPT
# echo $?
0
# nft list ruleset
<cut>
chain OUTPUT {
type filter hook output priority 0; policy accept;
oifname "eth0" counter packets 90 bytes 26085 accept
}
}
As you can see, the inserted rule allows everything, while the expected
behavior would be 'only if going through an IPsec tunnel'.
Even worse: inserting the rule did not fail.
Until the 'ipsec' (or 'secpath') keyword works properly (and supports
all options), an acceptable behavior would be to reject the rule if one
or more keywords are not supported by nftables.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>