<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Concatenations with ct status do not match"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1478">1478</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Concatenations with ct status do not match
</td>
</tr>
<tr>
<th>Product</th>
<td>netfilter/iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>arm
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>unknown
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>c-d.hailfinger.devel.2006@gmx.net
</td>
</tr></table>
<p>
<div>
<pre>Using "ct status" as part of a concatenation causes a rule to fail matching. It
doesn't matter if the concatenation has "ct status" at the beginning or the
end, the failure will happen regardless of order.
Using "ct status" in a non-concatenated combination works. See below for the
packet counters of a single IPv4 SSH connection to port 2222 which gets
redirected to port 22. This is especially visible when comparing the following
two rules, of which the variant with concatenation never matches:
ct status dnat ct status dnat counter
ct status . ct status { dnat . dnat } counter
Steps to reproduce the issue:
Load the ruleset below. Have SSHD running on local port 22. Connect from
another machine with ssh -p 2222 targetip
Note that the counters in the filter table for concatenations with "ct status"
do not increase, whereas the other counters increase.
Versions:
Debian 10, armhf (Raspberry Pi OS), with backports
Linux myhostname 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
GNU/Linux
libmnl0 1.0.4-2
libnetfilter-conntrack3 1.0.7-1
libnftnl11 1.1.7-1~bpo10+1
libnftables1 0.9.6-1~bpo10+1
nftables 0.9.6-1~bpo10+1
Ruleset:
$ nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ct state established,related accept comment "Accept traffic
originated from us"
tcp dport . ct status { 22 . dnat } counter packets 0 bytes 0
ct status . tcp dport { dnat . 22 } counter packets 0 bytes 0
tcp dport 22 ct status dnat counter packets 1 bytes 60
ct status dnat tcp dport 22 counter packets 1 bytes 60
tcp dport 22 tcp dport 22 counter packets 1 bytes 60
ct status dnat ct status dnat counter packets 1 bytes 60
tcp dport . tcp dport { 22 . 22 } counter packets 1 bytes 60
ct status . ct status { dnat . dnat } counter packets 0 bytes 0
tcp dport 22 counter packets 1 bytes 60
ct status dnat counter packets 1 bytes 60
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 2222 counter packets 1 bytes 60
tcp dport 22 counter packets 0 bytes 0
tcp dport 2222 redirect to :22
}
}</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>