nftables: lockout with 0008split_tables

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* nftables: lockout with 0008split_tables_0 test
@ 2017-11-21 11:15 Phil Sutter
  2017-11-21 17:09 ` Florian Westphal
  0 siblings, 1 reply; 6+ messages in thread
From: Phil Sutter @ 2017-11-21 11:15 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso, Florian Westphal

Hi,

This is about tests/shell/testcases/nft-f/0008split_tables_0, which adds
the following simple ruleset:

| table inet filter {
|         chain ssh {
|                 type filter hook input priority 0; policy accept;
|                 tcp dport ssh accept;
|         }
| }
| 
| table inet filter {
|         chain input {
|                 type filter hook input priority 1; policy drop;
|         }
| }

If applied, it kills my SSH connection. :(

I changed the ruleset for debugging purposes to this one:

| table inet filter {
|         chain ssh {
|               type filter hook input priority 0; policy accept;
| 		meta nftrace set 1
| 		accept
|         }
| }
| 
| table inet filter {
|         chain input {
|               type filter hook input priority 1; policy drop;
| 		meta nftrace set 1
|         }
| }

So I've changed the rule in chain 'ssh' to allow everything and enabled
tracing. Looking at trace output, I see this:

| trace id 4a1d1b92 inet filter ssh packet: iif "eth0" ether saddr fe:07:ef:9f:d5:dd ether daddr 52:54:ff:12:34:56 ip6 saddr fec0:42::1 ip6 daddr fec0:42::24 ip6 dscp 0x02 ip6 ecn not-ect ip6 hoplimit 64 ip6 flowlabel 871503 ip6 length 280 tcp sport 59068 tcp dport ssh tcp flags == 0x19 tcp window 1412 
| trace id 4a1d1b92 inet filter ssh rule nftrace set 1 (verdict continue)
| trace id 4a1d1b92 inet filter ssh rule accept (verdict accept)
| trace id 4a1d1b92 inet filter input packet: iif "eth0" ether saddr fe:07:ef:9f:d5:dd ether daddr 52:54:ff:12:34:56 ip6 saddr fec0:42::1 ip6 daddr fec0:42::24 ip6 dscp 0x02 ip6 ecn not-ect ip6 hoplimit 64 ip6 flowlabel 871503 ip6 length 280 tcp sport 59068 tcp dport ssh tcp flags == 0x19 tcp window 1412 
| trace id 4a1d1b92 inet filter input rule nftrace set 1 (verdict continue)
| trace id 4a1d1b92 inet filter input verdict continue 
| trace id 4a1d1b92 inet filter input 

It shows that given packet traverses both chains instead of only the
first one as I would have expected and therefore drop policy of chain
'input' applies instead of the 'accept' verdict in chain 'ssh'.

Is this desired behaviour or is there a bug in chain traversal?

I tested using current nf-next tree, but comparing it's history to that
of current net doesn't show any change which might be related.

Help?

Cheers, Phil

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables: lockout with 0008split_tables_0 test
  2017-11-21 11:15 nftables: lockout with 0008split_tables_0 test Phil Sutter
@ 2017-11-21 17:09 ` Florian Westphal
  2017-11-21 18:39   ` Arturo Borrero Gonzalez
  2017-11-21 22:13   ` [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0 Phil Sutter
  0 siblings, 2 replies; 6+ messages in thread
From: Florian Westphal @ 2017-11-21 17:09 UTC (permalink / raw)
  To: Phil Sutter, netfilter-devel, Pablo Neira Ayuso, Florian Westphal

Phil Sutter <phil@nwl.cc> wrote:
> Hi,
> 
> This is about tests/shell/testcases/nft-f/0008split_tables_0, which adds
> the following simple ruleset:
> 
> | table inet filter {
> |         chain ssh {
> |                 type filter hook input priority 0; policy accept;
> |                 tcp dport ssh accept;
> |         }
> | }
> | 
> | table inet filter {
> |         chain input {
> |                 type filter hook input priority 1; policy drop;
> |         }
> | }
> 
> If applied, it kills my SSH connection. :(

Yes, thats expected.
First ssh base chain gets invoked, which accepts any packet
either by verdict or policy.

Then next base chain gets consulted which drops the packet.

I would suggest to either swap the policies or duplicate the ssh
rule into the input chain too.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables: lockout with 0008split_tables_0 test
  2017-11-21 17:09 ` Florian Westphal
@ 2017-11-21 18:39   ` Arturo Borrero Gonzalez
  2017-11-21 18:50     ` Arturo Borrero Gonzalez
  2017-11-21 22:13   ` [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0 Phil Sutter
  1 sibling, 1 reply; 6+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-11-21 18:39 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Phil Sutter, Netfilter Development Mailing list,
	Pablo Neira Ayuso

On 21 November 2017 at 18:09, Florian Westphal <fw@strlen.de> wrote:
>
> Yes, thats expected.
> First ssh base chain gets invoked, which accepts any packet
> either by verdict or policy.
>
> Then next base chain gets consulted which drops the packet.
>
> I would suggest to either swap the policies or duplicate the ssh
> rule into the input chain too.

This is something which is actually confusing our users.
I just took the time to extend a bit the documentation:

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

Of course, feel free to edit the docs :-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: nftables: lockout with 0008split_tables_0 test
  2017-11-21 18:39   ` Arturo Borrero Gonzalez
@ 2017-11-21 18:50     ` Arturo Borrero Gonzalez
  0 siblings, 0 replies; 6+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-11-21 18:50 UTC (permalink / raw)
  To: Florian Westphal
  Cc: Phil Sutter, Netfilter Development Mailing list,
	Pablo Neira Ayuso

On 21 November 2017 at 19:39, Arturo Borrero Gonzalez
<arturo@netfilter.org> wrote:
> On 21 November 2017 at 18:09, Florian Westphal <fw@strlen.de> wrote:
>>
>> Yes, thats expected.
>> First ssh base chain gets invoked, which accepts any packet
>> either by verdict or policy.
>>
>> Then next base chain gets consulted which drops the packet.
>>
>> I would suggest to either swap the policies or duplicate the ssh
>> rule into the input chain too.
>
> This is something which is actually confusing our users.
> I just took the time to extend a bit the documentation:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>
> Of course, feel free to edit the docs :-)

Unrelated, but I would like to mention other thing that lacks
documentation: the interaction of packet flows between families/hooks

* Does a packet traversing a chain in the ip family traverse again
chains in the inet family? Same the other way around
* Does a packet accepted in the netdev/ingress family/hook gets
evaluated again in ip/ip6/inet families/hooks?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0
  2017-11-21 17:09 ` Florian Westphal
  2017-11-21 18:39   ` Arturo Borrero Gonzalez
@ 2017-11-21 22:13   ` Phil Sutter
  2017-11-22 12:17     ` Pablo Neira Ayuso
  1 sibling, 1 reply; 6+ messages in thread
From: Phil Sutter @ 2017-11-21 22:13 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Since packets traverse both tables, the accept rule in the first one is
ineffective due to the second table's drop policy. To prevent lockouts
when running the testsuite via SSH connection, set the second chain's
policy to accept as well.

Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via nft -f")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/shell/testcases/nft-f/0008split_tables_0 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0
index 2bc6e46c852a6..dd03545b172ac 100755
--- a/tests/shell/testcases/nft-f/0008split_tables_0
+++ b/tests/shell/testcases/nft-f/0008split_tables_0
@@ -19,7 +19,7 @@ RULESET="table inet filter {
 
 table inet filter {
 	chain input {
-		type filter hook input priority 1; policy drop;
+		type filter hook input priority 1; policy accept;
 	}
 }"
 
@@ -37,7 +37,7 @@ EXPECTED="table inet filter {
 	}
 
 	chain input {
-		type filter hook input priority 1; policy drop;
+		type filter hook input priority 1; policy accept;
 	}
 }"
 
-- 
2.13.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0
  2017-11-21 22:13   ` [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0 Phil Sutter
@ 2017-11-22 12:17     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-22 12:17 UTC (permalink / raw)
  To: Phil Sutter; +Cc: netfilter-devel

On Tue, Nov 21, 2017 at 11:13:39PM +0100, Phil Sutter wrote:
> Since packets traverse both tables, the accept rule in the first one is
> ineffective due to the second table's drop policy. To prevent lockouts
> when running the testsuite via SSH connection, set the second chain's
> policy to accept as well.

Applied.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-11-22 12:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-21 11:15 nftables: lockout with 0008split_tables_0 test Phil Sutter
2017-11-21 17:09 ` Florian Westphal
2017-11-21 18:39   ` Arturo Borrero Gonzalez
2017-11-21 18:50     ` Arturo Borrero Gonzalez
2017-11-21 22:13   ` [nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0 Phil Sutter
2017-11-22 12:17     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).