[Bug 1673] New: bug egress hook virtio interface with VLAN
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Apr 14 11:18:15 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1673
Bug ID: 1673
Summary: bug egress hook virtio interface with VLAN
Product: nftables
Version: 1.0.x
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: r.gabet at biche.org
Sorry, for my english.
I have a problem with egress hook on VLAN interface, I want to match dhcp
output traffic on virtual machine with nftables.
On a virtio interface, is not working (it's working with no VLAN), but on E1000
interface, it's working, I think there is a bug.
Config :
Linux test 6.2.10-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 07 Apr 2023 02:10:43
+0000 x86_64 GNU/Linux
nftables v1.0.7 (Old Doc Yak)
dhcpcd 9.4.1
isc-dhclient-4.4.3-P1
virtio interface : enp6s19
E1000 interface : enp6s20
I made tests with this ruleset :
table netdev filter {
chain egress {
type filter hook egress device "enp6s19.100" priority filter;
policy accept;
meta nftrace set 1
log group 30
udp sport 68 udp dport 67 counter packets 0 bytes 0
}
chain egress2 {
type filter hook egress device "enp6s20.100" priority filter;
policy accept;
meta nftrace set 1
log group 31
udp sport 68 udp dport 67 counter packets 0 bytes 0
}
}
With virtio, captured packet :
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on nflog:30, link-type NFLOG (Linux netfilter log messages), snapshot
length 262144 bytes
10:02:24.310780 version 0, resource ID 30, family Unknown (5), length 348:
0x0000: ffff ffff ffff e628 5968 daab 0800 4500 .......(Yh....E.
0x0010: 0148 e505 0000 4011 94a0 0000 0000 ffff .H.... at .........
0x0020: ffff 0044 0043 0134 86f5 0101 0600 f97b ...D.C.4.......{
0x0030: 4c02 0000 0000 0000 0000 0000 0000 0000 L...............
0x0040: 0000 0000 0000 e628 5968 daab 0000 0000 .......(Yh......
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 6382 5363 3501 0137 0e01 ......c.Sc5..7..
0x0120: 7903 060c 0f1a 1c21 3336 3a3b 7739 0205 y......!36:;w9..
0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n.
0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P.....
0x0150: 0000 0000 0000 0000 ........
nft monitor :
trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev filter egress verdict continue
trace id 195bb0a6 netdev filter egress policy accept
With E1000, captured packet :
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on nflog:31, link-type NFLOG (Linux netfilter log messages), snapshot
length 262144 bytes
10:06:28.977551 version 0, resource ID 31, family Unknown (5), length 348:
0x0000: ffff ffff ffff 4e08 9cea 5529 0800 4500 ......N...U)..E.
0x0010: 0148 2898 0000 4011 510e 0000 0000 ffff .H(... at .Q.......
0x0020: ffff 0044 0043 0134 0b0d 0101 0600 ff02 ...D.C.4........
0x0030: 9c84 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 4e08 9cea 5529 0000 0000 ......N...U)....
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 6382 5363 3501 0137 0e01 ......c.Sc5..7..
0x0120: 7903 060c 0f1a 1c21 3336 3a3b 7739 0205 y......!36:;w9..
0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n.
0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P.....
0x0150: 0000 0000 0000 0000 ........
nft monitor :
trace id 2e00e339 netdev filter egress2 packet: oif "enp6s20.100" @nh,0,48
0x450001482898 @th,0,160 0x4011510e00000000ffffffff004400430134
trace id 2e00e339 netdev filter egress2 rule meta nftrace set 1 (verdict
continue)
trace id 2e00e339 netdev filter egress2 rule log group 31 (verdict continue)
trace id 2e00e339 netdev filter egress2 rule udp sport 68 udp dport 67 counter
packets 0 bytes 0 (verdict continue)
trace id 2e00e339 netdev filter egress2 verdict continue
trace id 2e00e339 netdev filter egress2 policy accept
If think the problem is related to incorrect @nh base, with virtio : oif
"enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000,
with E1000 @nh,0,48 0x450001482898 @th,0,160
0x4011510e00000000ffffffff004400430134
PS : I tried with dhcpcd and dhclient, I have the same issue.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230414/9f69a292/attachment-0001.html>
More information about the netfilter-buglog
mailing list