[Bug 1290] New: ptables: nftables layer breaks ipsec/policy keyword

Tue Nov 6 14:00:45 CET 2018

https://bugzilla.netfilter.org/show_bug.cgi?id=1290

            Bug ID: 1290
           Summary: ptables: nftables layer breaks ipsec/policy keyword
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables over nftable
          Assignee: pablo at netfilter.org
          Reporter: arturo at debian.org

Forwarded from Debian https://bugs.debian.org/912977

[...]
Some keywords are not supported (like the 'policy' keyword for
IPsec transforms). The bad part is, these rules are inserted
*without* the matches, which makes in some cases your firewall useless.

For ex:
# iptables -F
# iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o
eth0 -j ACCEPT
# echo $?
0
# nft list ruleset
<cut>
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
                oifname "eth0"  counter packets 90 bytes 26085 accept
        }
}

As you can see, the inserted rule allows everything, while the expected
behavior would be 'only if going through an IPsec tunnel'.
Even worse: inserting the rule did not fail.

Until the 'ipsec' (or 'secpath') keyword works properly (and supports
all options), an acceptable behavior would be to reject the rule if one
or more keywords are not supported by nftables.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181106/e6eebcc2/attachment.html>