[Bug 1201] New: Some filters randomly do not work since version 0.8
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Nov 9 13:05:19 CET 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1201
Bug ID: 1201
Summary: Some filters randomly do not work since version 0.8
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Gentoo
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sautier.louis at gmail.com
Hello,
Since I upgraded to version 0.8, I have been experiencing weird behaviour with
some filters not matching. I think the issue is only present with filters for
tcp ports but this is just a guess.
Here is what my ip input filter chain looks like:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state established,related accept
iifname "eth0" tcp dport { 22, 80, 443 } counter accept
iifname "lo" accept
tcp dport 80 counter
iifname "eth0" tcp dport 80 counter
iifname "eth0" tcp dport { 80, 111 } counter
iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter
reject with tcp reset
reject
}
}
The rules with counters at the end are here for debugging purposes, they
shouldn't match a lot of traffic since ports 11* are unused and the third rule
should accept packets sent to port 80.
However, it seems that some rules tend not to match:
iifname "eth0" tcp dport { 22, 80, 443 } counter packets 0
bytes 0 accept
tcp dport 80 counter packets 264 bytes 15756
iifname "eth0" tcp dport 80 counter packets 264 bytes 15756
iifname "eth0" tcp dport { 80, 111 } counter packets 0 bytes 0
iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0
If I reload the rules a few times, I'll sometimes see the expected behaviour:
iifname "eth0" tcp dport { 22, 80, 443 } counter packets 31
bytes 1852 accept
tcp dport 80 counter packets 0 bytes 0
iifname "eth0" tcp dport 80 counter packets 0 bytes 0
iifname "eth0" tcp dport { 80, 111 } counter packets 0 bytes 0
iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0
Sometimes, the accept rule won't match but the { 80, 111 } one will:
iifname "eth0" tcp dport { 22, 80, 443 } counter packets 0
bytes 0 accept
tcp dport 80 counter packets 4 bytes 240
iifname "eth0" tcp dport 80 counter packets 4 bytes 240
iifname "eth0" tcp dport { 80, 111 } counter packets 4 bytes
240
iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0
I am running Gentoo with kernel 4.13.12, I also had the issue with 4.13.11. I
could include my kernel config but I'm pretty sure the problem is with nftables
itself.
My nftables 0.8 is compiled with:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info
--datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib
--disable-dependency-tracking --disable-silent-rules
--docdir=/usr/share/doc/nftables-0.8-r3
--htmldir=/usr/share/doc/nftables-0.8-r3/html --libdir=/usr/lib64
--sbindir=/sbin --disable-pdf-doc --disable-debug --with-cli --without-mini_gmp
I am unable to reproduce the problem with version 0.7 compiled with these (the
same parameters as 0.8 except for docdir and htmldir):
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info
--datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib
--disable-dependency-tracking --disable-silent-rules
--docdir=/usr/share/doc/nftables-0.7 --htmldir=/usr/share/doc/nftables-0.7/html
--libdir=/usr/lib64 --sbindir=/sbin --disable-pdf-doc --disable-debug
--with-cli --without-mini_gmp
I may try to run a bisect on this but if someone from the project could help
me, that would save me quite a bit of time.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171109/0f2fe2b3/attachment.html>
More information about the netfilter-buglog
mailing list