From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>
Subject: nftables: lockout with 0008split_tables_0 test
Date: Tue, 21 Nov 2017 12:15:56 +0100 [thread overview]
Message-ID: <20171121111556.GX32305@orbyte.nwl.cc> (raw)
Hi,
This is about tests/shell/testcases/nft-f/0008split_tables_0, which adds
the following simple ruleset:
| table inet filter {
| chain ssh {
| type filter hook input priority 0; policy accept;
| tcp dport ssh accept;
| }
| }
|
| table inet filter {
| chain input {
| type filter hook input priority 1; policy drop;
| }
| }
If applied, it kills my SSH connection. :(
I changed the ruleset for debugging purposes to this one:
| table inet filter {
| chain ssh {
| type filter hook input priority 0; policy accept;
| meta nftrace set 1
| accept
| }
| }
|
| table inet filter {
| chain input {
| type filter hook input priority 1; policy drop;
| meta nftrace set 1
| }
| }
So I've changed the rule in chain 'ssh' to allow everything and enabled
tracing. Looking at trace output, I see this:
| trace id 4a1d1b92 inet filter ssh packet: iif "eth0" ether saddr fe:07:ef:9f:d5:dd ether daddr 52:54:ff:12:34:56 ip6 saddr fec0:42::1 ip6 daddr fec0:42::24 ip6 dscp 0x02 ip6 ecn not-ect ip6 hoplimit 64 ip6 flowlabel 871503 ip6 length 280 tcp sport 59068 tcp dport ssh tcp flags == 0x19 tcp window 1412
| trace id 4a1d1b92 inet filter ssh rule nftrace set 1 (verdict continue)
| trace id 4a1d1b92 inet filter ssh rule accept (verdict accept)
| trace id 4a1d1b92 inet filter input packet: iif "eth0" ether saddr fe:07:ef:9f:d5:dd ether daddr 52:54:ff:12:34:56 ip6 saddr fec0:42::1 ip6 daddr fec0:42::24 ip6 dscp 0x02 ip6 ecn not-ect ip6 hoplimit 64 ip6 flowlabel 871503 ip6 length 280 tcp sport 59068 tcp dport ssh tcp flags == 0x19 tcp window 1412
| trace id 4a1d1b92 inet filter input rule nftrace set 1 (verdict continue)
| trace id 4a1d1b92 inet filter input verdict continue
| trace id 4a1d1b92 inet filter input
It shows that given packet traverses both chains instead of only the
first one as I would have expected and therefore drop policy of chain
'input' applies instead of the 'accept' verdict in chain 'ssh'.
Is this desired behaviour or is there a bug in chain traversal?
I tested using current nf-next tree, but comparing it's history to that
of current net doesn't show any change which might be related.
Help?
Cheers, Phil
next reply other threads:[~2017-11-21 11:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-21 11:15 Phil Sutter [this message]
2017-11-21 17:09 ` nftables: lockout with 0008split_tables_0 test Florian Westphal
2017-11-21 18:39 ` Arturo Borrero Gonzalez
2017-11-21 18:50 ` Arturo Borrero Gonzalez
2017-11-21 22:13 ` [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0 Phil Sutter
2017-11-22 12:17 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171121111556.GX32305@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.