From: Phil Sutter <phil@nwl.cc>
To: Sriram Rajagopalan <bglsriram@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: iptables-nft: Wrong payload merge of rule filter - "! --sport xx ! --dport xx"
Date: Fri, 8 Mar 2024 12:30:47 +0100 [thread overview]
Message-ID: <Zer252IUJr07J_eX@orbyte.nwl.cc> (raw)
In-Reply-To: <CAPtndGDEJVWXcggRkw66YLjhu3QyUjJ5j4YEbvJLj-qbPkQaPg@mail.gmail.com>
Hi Sriram,
On Fri, Mar 08, 2024 at 02:49:38PM +0530, Sriram Rajagopalan wrote:
> iptables-nft based on nftables has an issue with the way the rule
> filter - "! --sport xx ! --dport xx" is wrongly merged and rendered.
I agree with your analysis and the patches look fine. Could you please
submit them formally?
[...]
> % export IPTABLES=/usr/local/sbin/iptables-legacy; sudo $IPTABLES -A
> INPUT -p tcp ! --sport 22 ! --dport 22 -i vm2; echo -e "\n---- Before
> data ----\n"; sudo $IPTABLES -L INPUT -vvvn; sudo python -c "from
> scapy.all import *;
> sendp(Ether(dst='9e:00:fa:a3:c9:48')/IP(src='1.1.1.1',
> dst='2.2.2.2')/TCP(sport=23, dport=22), iface='vm1')"; echo -e "\n----
> After data with either one of tcp sport/dport being 22 ----\n"; sudo
> $IPTABLES -L INPUT -vn; sudo python -c "from scapy.all import *;
> sendp(Ether(dst='9e:00:fa:a3:c9:48')/IP(src='1.1.1.1',
> dst='2.2.2.2')/TCP(sport=23, dport=23), iface='vm1')"; echo -e "\n----
> After data with neither one of tcp sport/dport being 22 ----\n"; sudo
> $IPTABLES -L INPUT -vn; sudo $IPTABLES -D INPUT -p tcp ! --sport 22 !
> --dport 22 -i vm2
>
>
> ---- Before data ----
>
> ip filter INPUT 41
> [ meta load iifname => reg 1 ]
> [ cmp eq reg 1 0x00326d76 ]
> [ payload load 1b @ network header + 9 => reg 1 ]
> [ cmp eq reg 1 0x00000006 ]
> [ payload load 2b @ transport header + 0 => reg 1 ]
> [ cmp neq reg 1 0x00001600 ]
> [ payload load 2b @ transport header + 2 => reg 1 ]
> [ cmp neq reg 1 0x00001600 ]
> [ counter pkts 0 bytes 0 ]
You're fibbing here: That netlink debug output can't come from
iptables-legacy. I suspect it actually comes from your patched
iptables-nft or nft too. :)
[...]
> Author: Sriram Rajagopalan <bglsriram@gmail.com>
> Date: Fri Mar 07 20:09:38 2024 -0800
>
> iptables: Fixed the issue with combining the payload in case of invert
> filter for tcp src and dst ports
>
> Signed-off-by: Sriram Rajagopalan <bglsriram@gmail.com>
> Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Maybe avoid the double SoB? Apart from that:
Acked-by: Phil Sutter <phil@nwl.cc>
Thanks, Phil
next prev parent reply other threads:[~2024-03-08 11:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-08 9:19 iptables-nft: Wrong payload merge of rule filter - "! --sport xx ! --dport xx" Sriram Rajagopalan
2024-03-08 11:30 ` Phil Sutter [this message]
2024-03-13 9:01 ` Sriram Rajagopalan
2024-03-08 13:37 ` Florian Westphal
2024-03-12 10:24 ` Sriram Rajagopalan
2024-03-12 10:34 ` Florian Westphal
2024-03-13 9:02 ` Sriram Rajagopalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zer252IUJr07J_eX@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=bglsriram@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.