Regression 1.0.9..1.1.1 in glob inclusion behaviour

Regression 1.0.9..1.1.1 in glob inclusion behaviour

[caskd]

[-- Attachment #1.1: Type: text/plain, Size: 1020 bytes --]

Hello netfilter users and devs,

Following upgrade to 1.1.1 i've noticed strange behavior in the inclusion of my netfilter rulesets. Entries included via glob were duplicated. This only occurs when both -I and -f is used, due to the follwing commits:

6ef04f99382c074c3669de31cf0a70651662b261 libnftables: search for default include path last
302e9f8b3a1382cf09db32541693b5df7d80ca1e libnftables: add base directory of -f/--filename to include path

Steps to replicate:

Create a directory with one or more rule files.
Include everything in the directory with include 'dir/*' from /etc/nft/rules
Apply the rules with nft -I /etc/nft -f /etc/nft/rules

If the include dir is defined as a command-line parameter then entries are duplicated, while without it they are not.
This was not the case on 1.0.9 before these commits were present.

Has someone worked on a patch for this yet? If not, i might give it a shot myself.

-- 
Alex D.
RedXen System & Infrastructure Administration
https://redxen.eu/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 858 bytes --]

Re: Regression 1.0.9..1.1.1 in glob inclusion behaviour

[Pablo Neira Ayuso]

On Wed, Dec 11, 2024 at 09:40:43AM +0000, caskd wrote:
> Hello netfilter users and devs,
> 
> Following upgrade to 1.1.1 i've noticed strange behavior in the inclusion of my netfilter rulesets. Entries included via glob were duplicated. This only occurs when both -I and -f is used, due to the follwing commits:
> 
> 6ef04f99382c074c3669de31cf0a70651662b261 libnftables: search for default include path last
> 302e9f8b3a1382cf09db32541693b5df7d80ca1e libnftables: add base directory of -f/--filename to include path
> 
> Steps to replicate:
> 
> Create a directory with one or more rule files.
> Include everything in the directory with include 'dir/*' from /etc/nft/rules
> Apply the rules with nft -I /etc/nft -f /etc/nft/rules
> 
> If the include dir is defined as a command-line parameter then entries are duplicated, while without it they are not.
> This was not the case on 1.0.9 before these commits were present.
> 
> Has someone worked on a patch for this yet? If not, i might give it a shot myself.

Please, take a look, thanks.

Re: Regression 1.0.9..1.1.1 in glob inclusion behaviour

[Pablo Neira Ayuso]

Hi,

On Wed, Dec 11, 2024 at 09:40:43AM +0000, caskd wrote:
> Hello netfilter users and devs,
> 
> Following upgrade to 1.1.1 i've noticed strange behavior in the inclusion of my netfilter rulesets. Entries included via glob were duplicated. This only occurs when both -I and -f is used, due to the follwing commits:
> 
> 6ef04f99382c074c3669de31cf0a70651662b261 libnftables: search for default include path last
> 302e9f8b3a1382cf09db32541693b5df7d80ca1e libnftables: add base directory of -f/--filename to include path
> 
> Steps to replicate:
> 
> Create a directory with one or more rule files.
> Include everything in the directory with include 'dir/*' from /etc/nft/rules
> Apply the rules with nft -I /etc/nft -f /etc/nft/rules
> 
> If the include dir is defined as a command-line parameter then entries are duplicated, while without it they are not.
> This was not the case on 1.0.9 before these commits were present.
> 
> Has someone worked on a patch for this yet? If not, i might give it a shot myself.

I don't manage to reproduce such duplication with 1.1.1.

Would you make a simpler reproducer? What default directory you have
for nftables? You can guess via:

# nft -h | grep "\-I"

Thanks.

Re: Regression 1.0.9..1.1.1 in glob inclusion behaviour

[caskd]

[-- Attachment #1.1: Type: text/plain, Size: 1434 bytes --]

> I don't manage to reproduce such duplication with 1.1.1.
> 
> Would you make a simpler reproducer?
Yes, surely. I've tested the following in a priviledged debian unstable container and i have the same behavior.

mkdir -p /tmp/test/include
echo > /tmp/test/main <<-EOF
table inet test {
	chain test {
		include "include/*";
	}
}
EOF
echo "tcp dport 22 accept;" > /tmp/test/include/one
echo "tcp dport 25 accept;" > /tmp/test/include/two
nft -e -I /tmp/test/ -f /tmp/test/main

Executing this on 1.1.1 results in the following being executed/outputted:
root@nnd-navi:/tmp/test# nft -e -I /tmp/test/ -f /tmp/test/main
add table inet test
add chain inet test test
add rule inet test test tcp dport 22 accept
add rule inet test test handle 2 tcp dport 25 accept
add rule inet test test handle 3 tcp dport 22 accept
add rule inet test test tcp dport 25 accept

I've replicated it also on debian nftables with the following invokation:
# podman run --rm -it --privileged --network=host -w /tmp "debian:unstable"
# apt update
# apt install nftables
# ... (steps from reproducer go here)

> What default directory you have for nftables? You can guess via:
> 
> # nft -h | grep "\-I"
While i highly suspect the include dir path is unrelated, here they are:
Alpine v3.21: /usr/share
Debian trixie/sid: /etc

> Thanks.


-- 
Alex D.
RedXen System & Infrastructure Administration
https://redxen.eu/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 858 bytes --]

Re: Regression 1.0.9..1.1.1 in glob inclusion behaviour

[Pablo Neira Ayuso]

Hi,

On Thu, Dec 12, 2024 at 10:33:14AM +0000, caskd wrote:
> > I don't manage to reproduce such duplication with 1.1.1.
> > 
> > Would you make a simpler reproducer?
> Yes, surely. I've tested the following in a priviledged debian unstable container and i have the same behavior.
> 
> mkdir -p /tmp/test/include
> echo > /tmp/test/main <<-EOF
> table inet test {
> 	chain test {
> 		include "include/*";
> 	}
> }
> EOF
> echo "tcp dport 22 accept;" > /tmp/test/include/one
> echo "tcp dport 25 accept;" > /tmp/test/include/two
> nft -e -I /tmp/test/ -f /tmp/test/main
> 
> Executing this on 1.1.1 results in the following being executed/outputted:
> root@nnd-navi:/tmp/test# nft -e -I /tmp/test/ -f /tmp/test/main
> add table inet test
> add chain inet test test
> add rule inet test test tcp dport 22 accept
> add rule inet test test handle 2 tcp dport 25 accept
> add rule inet test test handle 3 tcp dport 22 accept
> add rule inet test test tcp dport 25 accept

Thanks for your reproducer.

I am proposing the following fix for this issue:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20241212222436.179133-1-pablo@netfilter.org/