[Bug 1201] New: Some filters randomly do not work since version 0.8

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Nov 9 13:05:19 CET 2017


https://bugzilla.netfilter.org/show_bug.cgi?id=1201

            Bug ID: 1201
           Summary: Some filters randomly do not work since version 0.8
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sautier.louis at gmail.com

Hello,
Since I upgraded to version 0.8, I have been experiencing weird behaviour with
some filters not matching. I think the issue is only present with filters for
tcp ports but this is just a guess.
Here is what my ip input filter chain looks like:
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
                ct state established,related accept
                iifname "eth0" tcp dport { 22, 80, 443 } counter accept
                iifname "lo" accept
                tcp dport 80 counter
                iifname "eth0" tcp dport 80 counter
                iifname "eth0" tcp dport { 80, 111 } counter
                iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter
                reject with tcp reset
                reject
        }
}
The rules with counters at the end are here for debugging purposes, they
shouldn't match a lot of traffic since ports 11* are unused and the third rule
should accept packets sent to port 80.

However, it seems that some rules tend not to match:
                iifname "eth0" tcp dport { 22, 80, 443 } counter packets 0
bytes 0 accept
                tcp dport 80 counter packets 264 bytes 15756
                iifname "eth0" tcp dport 80 counter packets 264 bytes 15756
                iifname "eth0" tcp dport { 80, 111 } counter packets 0 bytes 0
                iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0


If I reload the rules a few times, I'll sometimes see the expected behaviour:
                iifname "eth0" tcp dport { 22, 80, 443 } counter packets 31
bytes 1852 accept
                tcp dport 80 counter packets 0 bytes 0
                iifname "eth0" tcp dport 80 counter packets 0 bytes 0
                iifname "eth0" tcp dport { 80, 111 } counter packets 0 bytes 0
                iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0

Sometimes, the accept rule won't match but the { 80, 111 } one will:
                iifname "eth0" tcp dport { 22, 80, 443 } counter packets 0
bytes 0 accept
                tcp dport 80 counter packets 4 bytes 240
                iifname "eth0" tcp dport 80 counter packets 4 bytes 240
                iifname "eth0" tcp dport { 80, 111 } counter packets 4 bytes
240
                iifname "eth0" tcp dport { 80, 111, 112, 113, 114, 115, 117 }
counter packets 0 bytes 0


I am running Gentoo with kernel 4.13.12, I also had the issue with 4.13.11. I
could include my kernel config but I'm pretty sure the problem is with nftables
itself.
My nftables 0.8 is compiled with:
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info
--datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib
--disable-dependency-tracking --disable-silent-rules
--docdir=/usr/share/doc/nftables-0.8-r3
--htmldir=/usr/share/doc/nftables-0.8-r3/html --libdir=/usr/lib64
--sbindir=/sbin --disable-pdf-doc --disable-debug --with-cli --without-mini_gmp

I am unable to reproduce the problem with version 0.7 compiled with these (the
same parameters as 0.8 except for docdir and htmldir):
./configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info
--datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib
--disable-dependency-tracking --disable-silent-rules
--docdir=/usr/share/doc/nftables-0.7 --htmldir=/usr/share/doc/nftables-0.7/html
--libdir=/usr/lib64 --sbindir=/sbin --disable-pdf-doc --disable-debug
--with-cli --without-mini_gmp

I may try to run a bisect on this but if someone from the project could help
me, that would save me quite a bit of time.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171109/0f2fe2b3/attachment.html>


More information about the netfilter-buglog mailing list