6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

[Krzysztof Olędzki]

Hi,

After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load.

Quick investigation flagged NFLOG to be the issue:

# ip6tables -I INPUT -j NFLOG
Warning: Extension NFLOG revision 0 not supported, missing kernel module?
ip6tables: No chain/target/match by that name.

The regression is caused by the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.6.y&id=997f67d813ce0cf5eb3cdb8f124da68141e91b6c

More precisely, the bug is in the change below:

+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "NFLOG",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.checkentry = nflog_tg_check,
+		.destroy    = nflog_tg_destroy,
+		.target     = nflog_tg,
+		.targetsize = sizeof(struct xt_nflog_info),
+		.me         = THIS_MODULE,
+	},
+#endif

Replacing NFPROTO_IPV4 with NFPROTO_IPV6 fixed the issue.

Looking at the commit, it seems that at least one more target (MARK) may be also impacted:

+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = NFPROTO_IPV4,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_tginfo2),
+		.me             = THIS_MODULE,
+	},
+#endif

The same errors seem to be present in the main tree:
 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0bfcb7b71e735560077a42847f69597ec7dcc326

I also suspect other -stable trees may be impacted by the same issue.

Best regards,
 Krzysztof Olędzki

Re: 6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

[Linux regression tracking (Thorsten Leemhuis)]

[CCing Ilya and the regression list, as it should be in the loop for
regressions: https://docs.kernel.org/admin-guide/reporting-regressions.html]

> Hi,
> 
> After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load.
> 
> Quick investigation flagged NFLOG to be the issue:
> 
> # ip6tables -I INPUT -j NFLOG
> Warning: Extension NFLOG revision 0 not supported, missing kernel module?
> ip6tables: No chain/target/match by that name.
> 
> The regression is caused by the following commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.6.y&id=997f67d813ce0cf5eb3cdb8f124da68141e91b6c

Not my area of expertise, but from a quick look is seems to be a known
problem due to some typos and people are working on a fix here:

https://lore.kernel.org/all/20241019-xtables-typos-v3-1-66dd2eaacf2f@0upti.me/

Ciao, Thorsten

> More precisely, the bug is in the change below:
> 
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +	{
> +		.name       = "NFLOG",
> +		.revision   = 0,
> +		.family     = NFPROTO_IPV4,
> +		.checkentry = nflog_tg_check,
> +		.destroy    = nflog_tg_destroy,
> +		.target     = nflog_tg,
> +		.targetsize = sizeof(struct xt_nflog_info),
> +		.me         = THIS_MODULE,
> +	},
> +#endif
> 
> Replacing NFPROTO_IPV4 with NFPROTO_IPV6 fixed the issue.
> 
> Looking at the commit, it seems that at least one more target (MARK) may be also impacted:
> 
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +	{
> +		.name           = "MARK",
> +		.revision       = 2,
> +		.family         = NFPROTO_IPV4,
> +		.target         = mark_tg,
> +		.targetsize     = sizeof(struct xt_mark_tginfo2),
> +		.me             = THIS_MODULE,
> +	},
> +#endif
> 
> The same errors seem to be present in the main tree:
>  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0bfcb7b71e735560077a42847f69597ec7dcc326
> 
> I also suspect other -stable trees may be impacted by the same issue.
> 
> Best regards,
>  Krzysztof Olędzki

Re: 6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

[Pablo Neira Ayuso]

Hi,

On Sat, Oct 19, 2024 at 10:22:01PM -0700, Krzysztof Olędzki wrote:
> Hi,
> 
> After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load.
> 
> Quick investigation flagged NFLOG to be the issue:
> 
> # ip6tables -I INPUT -j NFLOG
> Warning: Extension NFLOG revision 0 not supported, missing kernel module?
> ip6tables: No chain/target/match by that name.
> 
> The regression is caused by the following commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.6.y&id=997f67d813ce0cf5eb3cdb8f124da68141e91b6c

Yes, this is the proposed incremental fix.

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20241020124951.180350-1-pablo@netfilter.org/

Re: 6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

[Krzysztof Olędzki]

On 19.10.2024 at 22:22, Krzysztof Olędzki wrote:
> Hi,
> 
> After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load.
> 
> Quick investigation flagged NFLOG to be the issue:
> 
> # ip6tables -I INPUT -j NFLOG
> Warning: Extension NFLOG revision 0 not supported, missing kernel module?
> ip6tables: No chain/target/match by that name.
> 
> The regression is caused by the following commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.6.y&id=997f67d813ce0cf5eb3cdb8f124da68141e91b6c
> 
> More precisely, the bug is in the change below:
> 
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +	{
> +		.name       = "NFLOG",
> +		.revision   = 0,
> +		.family     = NFPROTO_IPV4,
> +		.checkentry = nflog_tg_check,
> +		.destroy    = nflog_tg_destroy,
> +		.target     = nflog_tg,
> +		.targetsize = sizeof(struct xt_nflog_info),
> +		.me         = THIS_MODULE,
> +	},
> +#endif
> 
> Replacing NFPROTO_IPV4 with NFPROTO_IPV6 fixed the issue.
> 
> Looking at the commit, it seems that at least one more target (MARK) may be also impacted:
> 
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> +	{
> +		.name           = "MARK",
> +		.revision       = 2,
> +		.family         = NFPROTO_IPV4,
> +		.target         = mark_tg,
> +		.targetsize     = sizeof(struct xt_mark_tginfo2),
> +		.me             = THIS_MODULE,
> +	},
> +#endif
> 
> The same errors seem to be present in the main tree:
>  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0bfcb7b71e735560077a42847f69597ec7dcc326
> 
> I also suspect other -stable trees may be impacted by the same issue.

Seems like this is already being taken care of:

https://lore.kernel.org/netdev/ZxT8ow0auDTe-TDA@calendula/T/#t

Krzysztof