* Android boot failure with 6.12
@ 2025-01-10 22:20 Maciej Żenczykowski
2025-01-10 22:23 ` Maciej Żenczykowski
0 siblings, 1 reply; 10+ messages in thread
From: Maciej Żenczykowski @ 2025-01-10 22:20 UTC (permalink / raw)
To: Netfilter Development Mailinglist, Florian Westphal,
Pablo Neira Ayuso
We've had to:
Revert "netfilter: xtables: avoid NFPROTO_UNSPEC where needed"
https://android-review.googlesource.com/c/kernel/common/+/3305935/2
It seems the failure is (probably related to):
...
E IptablesRestoreController: -A bw_INPUT -j MARK --or-mark 0x100000
...
E IptablesRestoreController: ------- ERROR -------
E IptablesRestoreController: Warning: Extension MARK revision 0 not
supported, missing kernel module?
E IptablesRestoreController: ip6tables-restore v1.8.10 (legacy): MARK
target: kernel too old for --or-mark
E IptablesRestoreController: Error occurred at line: 27
But, I don't see an obvious bug in the CL we had to revert...
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-10 22:20 Android boot failure with 6.12 Maciej Żenczykowski
@ 2025-01-10 22:23 ` Maciej Żenczykowski
2025-01-10 22:28 ` Maciej Żenczykowski
0 siblings, 1 reply; 10+ messages in thread
From: Maciej Żenczykowski @ 2025-01-10 22:23 UTC (permalink / raw)
To: Netfilter Development Mailinglist, Florian Westphal,
Pablo Neira Ayuso
Oh, wait
.family = NFPROTO_IPV4,
in the v6 section
On Fri, Jan 10, 2025 at 2:20 PM Maciej Żenczykowski
<zenczykowski@gmail.com> wrote:
>
> We've had to:
> Revert "netfilter: xtables: avoid NFPROTO_UNSPEC where needed"
> https://android-review.googlesource.com/c/kernel/common/+/3305935/2
>
> It seems the failure is (probably related to):
> ...
> E IptablesRestoreController: -A bw_INPUT -j MARK --or-mark 0x100000
> ...
> E IptablesRestoreController: ------- ERROR -------
> E IptablesRestoreController: Warning: Extension MARK revision 0 not
> supported, missing kernel module?
> E IptablesRestoreController: ip6tables-restore v1.8.10 (legacy): MARK
> target: kernel too old for --or-mark
> E IptablesRestoreController: Error occurred at line: 27
>
> But, I don't see an obvious bug in the CL we had to revert...
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-10 22:23 ` Maciej Żenczykowski
@ 2025-01-10 22:28 ` Maciej Żenczykowski
2025-01-10 22:36 ` Maciej Żenczykowski
0 siblings, 1 reply; 10+ messages in thread
From: Maciej Żenczykowski @ 2025-01-10 22:28 UTC (permalink / raw)
To: Netfilter Development Mailinglist, Florian Westphal,
Pablo Neira Ayuso
Which likely means the fix would be:
https://android-review.googlesource.com/c/kernel/common/+/3445350/1..2
On Fri, Jan 10, 2025 at 2:23 PM Maciej Żenczykowski
<zenczykowski@gmail.com> wrote:
>
> Oh, wait
>
> .family = NFPROTO_IPV4,
>
> in the v6 section
>
> On Fri, Jan 10, 2025 at 2:20 PM Maciej Żenczykowski
> <zenczykowski@gmail.com> wrote:
> >
> > We've had to:
> > Revert "netfilter: xtables: avoid NFPROTO_UNSPEC where needed"
> > https://android-review.googlesource.com/c/kernel/common/+/3305935/2
> >
> > It seems the failure is (probably related to):
> > ...
> > E IptablesRestoreController: -A bw_INPUT -j MARK --or-mark 0x100000
> > ...
> > E IptablesRestoreController: ------- ERROR -------
> > E IptablesRestoreController: Warning: Extension MARK revision 0 not
> > supported, missing kernel module?
> > E IptablesRestoreController: ip6tables-restore v1.8.10 (legacy): MARK
> > target: kernel too old for --or-mark
> > E IptablesRestoreController: Error occurred at line: 27
> >
> > But, I don't see an obvious bug in the CL we had to revert...
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-10 22:28 ` Maciej Żenczykowski
@ 2025-01-10 22:36 ` Maciej Żenczykowski
2025-01-11 13:31 ` Jozsef Kadlecsik
2025-01-11 13:57 ` Pablo Neira Ayuso
0 siblings, 2 replies; 10+ messages in thread
From: Maciej Żenczykowski @ 2025-01-10 22:36 UTC (permalink / raw)
To: Netfilter Development Mailinglist, Florian Westphal,
Pablo Neira Ayuso
nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-10 22:36 ` Maciej Żenczykowski
@ 2025-01-11 13:31 ` Jozsef Kadlecsik
2025-01-11 14:05 ` Florian Westphal
2025-01-11 14:17 ` Pablo Neira Ayuso
2025-01-11 13:57 ` Pablo Neira Ayuso
1 sibling, 2 replies; 10+ messages in thread
From: Jozsef Kadlecsik @ 2025-01-11 13:31 UTC (permalink / raw)
To: Maciej Żenczykowski
Cc: Netfilter Development Mailinglist, Florian Westphal,
Pablo Neira Ayuso
[-- Attachment #1: Type: text/plain, Size: 2094 bytes --]
Hi,
On Fri, 10 Jan 2025, Maciej Żenczykowski wrote:
> nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
Sorry, but I don't understand the patch at all. With it applied now it'd
be not possible to load in the "MARK" target with IPv4. The code segment
after the patch:
static struct xt_target mark_tg_reg[] __read_mostly = {
{
.name = "MARK",
.revision = 2,
.family = NFPROTO_IPV6,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
{
.name = "MARK",
.revision = 2,
.family = NFPROTO_ARP,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
#endif
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
{
.name = "MARK",
.revision = 2,
.family = NFPROTO_IPV6,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
#endif
};
How is it supposed to work for IPv4?
Why the "IS_ENABLED(CONFIG_IP6_NF_IPTABLES)" part was not enough for the
IPv6-specific MARK target to be compiled in? Isn't it an issue about
selecting CONFIG_IP6_NF_IPTABLES vs CONFIG_IP6_NF_IPTABLES_LEGACY?
Also, why the "mark" match was not split into NFPROTO_IPV4, NFPROTO_ARP,
NFPROTO_IPV6 explicitly (and other matches where the target was split)?
Best regards,
Jozsef
--
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu,
kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-10 22:36 ` Maciej Żenczykowski
2025-01-11 13:31 ` Jozsef Kadlecsik
@ 2025-01-11 13:57 ` Pablo Neira Ayuso
1 sibling, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2025-01-11 13:57 UTC (permalink / raw)
To: Maciej Żenczykowski
Cc: Netfilter Development Mailinglist, Florian Westphal
On Fri, Jan 10, 2025 at 02:36:56PM -0800, Maciej Żenczykowski wrote:
> nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
Yes, 306ed1728e8438ca is the follow up fix you need:
commit 306ed1728e8438caed30332e1ab46b28c25fe3d8
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun Oct 20 14:49:51 2024 +0200
netfilter: xtables: fix typo causing some targets not to load on IPv6
- There is no NFPROTO_IPV6 family for mark and NFLOG.
- TRACE is also missing module autoload with NFPROTO_IPV6.
This results in ip6tables failing to restore a ruleset. This issue has been
reported by several users providing incomplete patches.
Very similar to Ilya Katsnelson's patch including a missing chunk in the
TRACE extension.
Thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-11 13:31 ` Jozsef Kadlecsik
@ 2025-01-11 14:05 ` Florian Westphal
2025-01-11 16:51 ` Jozsef Kadlecsik
2025-01-11 14:17 ` Pablo Neira Ayuso
1 sibling, 1 reply; 10+ messages in thread
From: Florian Westphal @ 2025-01-11 14:05 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Maciej Żenczykowski, Netfilter Development Mailinglist,
Florian Westphal, Pablo Neira Ayuso
Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
> > nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
>
> Sorry, but I don't understand the patch at all. With it applied now it'd
> be not possible to load in the "MARK" target with IPv4. The code segment
> after the patch:
>
> static struct xt_target mark_tg_reg[] __read_mostly = {
> {
> .name = "MARK",
> .revision = 2,
> .family = NFPROTO_IPV6,
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
> },
> #if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
Then you re-applied the patch, its already in 6.12.
NFPROTO_IPV6 is only set in the IP6_NF_IPTABLES section.
> Why the "IS_ENABLED(CONFIG_IP6_NF_IPTABLES)" part was not enough for the
> IPv6-specific MARK target to be compiled in? Isn't it an issue about
> selecting CONFIG_IP6_NF_IPTABLES vs CONFIG_IP6_NF_IPTABLES_LEGACY?
No, _LEGACY is about the set/gersockopt interface and the old
xt traversers, we could still use e.g. xt_mark.ko via NFT_COMPAT
interface.
> Also, why the "mark" match was not split into NFPROTO_IPV4, NFPROTO_ARP,
> NFPROTO_IPV6 explicitly (and other matches where the target was split)?
mark match is fine, afaics. Whats the concern?
The target got split because ebtables EBT_CONTINUE isn't equal to
XT_CONTINUE, so it won't do the right thing.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-11 13:31 ` Jozsef Kadlecsik
2025-01-11 14:05 ` Florian Westphal
@ 2025-01-11 14:17 ` Pablo Neira Ayuso
2025-01-11 16:53 ` Jozsef Kadlecsik
1 sibling, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2025-01-11 14:17 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Maciej Żenczykowski, Netfilter Development Mailinglist,
Florian Westphal
Hi Jozsef,
On Sat, Jan 11, 2025 at 02:31:18PM +0100, Jozsef Kadlecsik wrote:
> Hi,
>
> On Fri, 10 Jan 2025, Maciej Żenczykowski wrote:
>
> > nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
>
> Sorry, but I don't understand the patch at all. With it applied now it'd
> be not possible to load in the "MARK" target with IPv4. The code segment
> after the patch:
>
> static struct xt_target mark_tg_reg[] __read_mostly = {
> {
> .name = "MARK",
> .revision = 2,
> .family = NFPROTO_IPV6,
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
> },
> #if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
> {
> .name = "MARK",
> .revision = 2,
> .family = NFPROTO_ARP,
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
> },
> #endif
> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> {
> .name = "MARK",
> .revision = 2,
> .family = NFPROTO_IPV6,
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
> },
> #endif
> };
>
> How is it supposed to work for IPv4?
>
> Why the "IS_ENABLED(CONFIG_IP6_NF_IPTABLES)" part was not enough for the
> IPv6-specific MARK target to be compiled in? Isn't it an issue about
> selecting CONFIG_IP6_NF_IPTABLES vs CONFIG_IP6_NF_IPTABLES_LEGACY?
This was fixed by an incremental patch:
306ed1728e84 ("netfilter: xtables: fix typo causing some targets not to load on IPv6")
so there is no two MARK targets for NFPROTO_IPV6.
> Also, why the "mark" match was not split into NFPROTO_IPV4, NFPROTO_ARP,
> NFPROTO_IPV6 explicitly (and other matches where the target was split)?
The audit to tighten this interface searched for:
- use of xtables verdicts are incompatible with ebtables.
- IP header cannot be assumed to be linear on ebtables.
xt_mark match can be restricted too, ebtables uses ebt_mark. But this
should be safe, so this patch should probably go via nf-next.
Thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-11 14:05 ` Florian Westphal
@ 2025-01-11 16:51 ` Jozsef Kadlecsik
0 siblings, 0 replies; 10+ messages in thread
From: Jozsef Kadlecsik @ 2025-01-11 16:51 UTC (permalink / raw)
To: Florian Westphal
Cc: Maciej Żenczykowski, Netfilter Development Mailinglist,
Pablo Neira Ayuso
Hi Florian,
On Sat, 11 Jan 2025, Florian Westphal wrote:
> > Also, why the "mark" match was not split into NFPROTO_IPV4,
> > NFPROTO_ARP, NFPROTO_IPV6 explicitly (and other matches where the
> > target was split)?
>
> mark match is fine, afaics. Whats the concern?
>
> The target got split because ebtables EBT_CONTINUE isn't equal to
> XT_CONTINUE, so it won't do the right thing.
I have just reread the description of your patch "netfilter: xtables:
avoid NFPROTO_UNSPEC where needed" and now I see why the match is fine as
is. Thanks!
Best regards,
Jozsef
--
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Android boot failure with 6.12
2025-01-11 14:17 ` Pablo Neira Ayuso
@ 2025-01-11 16:53 ` Jozsef Kadlecsik
0 siblings, 0 replies; 10+ messages in thread
From: Jozsef Kadlecsik @ 2025-01-11 16:53 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Maciej Żenczykowski, Netfilter Development Mailinglist,
Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 2541 bytes --]
Hi Pablo,
On Sat, 11 Jan 2025, Pablo Neira Ayuso wrote:
> On Sat, Jan 11, 2025 at 02:31:18PM +0100, Jozsef Kadlecsik wrote:
> >
> > On Fri, 10 Jan 2025, Maciej Żenczykowski wrote:
> >
> > > nvm - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/xt_mark.c?id=306ed1728e8438caed30332e1ab46b28c25fe3d8
> >
> > Sorry, but I don't understand the patch at all. With it applied now it'd
> > be not possible to load in the "MARK" target with IPv4. The code segment
> > after the patch:
> >
> > static struct xt_target mark_tg_reg[] __read_mostly = {
> > {
> > .name = "MARK",
> > .revision = 2,
> > .family = NFPROTO_IPV6,
> > .target = mark_tg,
> > .targetsize = sizeof(struct xt_mark_tginfo2),
> > .me = THIS_MODULE,
> > },
> > #if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
> > {
> > .name = "MARK",
> > .revision = 2,
> > .family = NFPROTO_ARP,
> > .target = mark_tg,
> > .targetsize = sizeof(struct xt_mark_tginfo2),
> > .me = THIS_MODULE,
> > },
> > #endif
> > #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> > {
> > .name = "MARK",
> > .revision = 2,
> > .family = NFPROTO_IPV6,
> > .target = mark_tg,
> > .targetsize = sizeof(struct xt_mark_tginfo2),
> > .me = THIS_MODULE,
> > },
> > #endif
> > };
> >
> > How is it supposed to work for IPv4?
> >
> > Why the "IS_ENABLED(CONFIG_IP6_NF_IPTABLES)" part was not enough for the
> > IPv6-specific MARK target to be compiled in? Isn't it an issue about
> > selecting CONFIG_IP6_NF_IPTABLES vs CONFIG_IP6_NF_IPTABLES_LEGACY?
>
> This was fixed by an incremental patch:
>
> 306ed1728e84 ("netfilter: xtables: fix typo causing some targets not to load on IPv6")
>
> so there is no two MARK targets for NFPROTO_IPV6.
No, it was my fault not checking the patch properly. It's completely fine,
sorry for the noise!
Best regards,
Jozsef
--
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-01-11 16:53 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-10 22:20 Android boot failure with 6.12 Maciej Żenczykowski
2025-01-10 22:23 ` Maciej Żenczykowski
2025-01-10 22:28 ` Maciej Żenczykowski
2025-01-10 22:36 ` Maciej Żenczykowski
2025-01-11 13:31 ` Jozsef Kadlecsik
2025-01-11 14:05 ` Florian Westphal
2025-01-11 16:51 ` Jozsef Kadlecsik
2025-01-11 14:17 ` Pablo Neira Ayuso
2025-01-11 16:53 ` Jozsef Kadlecsik
2025-01-11 13:57 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).