Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables

To: Timo Sigurdsson <public_timo.s@silentcreek.de>, 1051592@bugs.debian.org
Subject: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Sep 2023 16:08:07 +0200
Message-id: <[🔎] ZP8fR0gKpsCTfAaJ@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1051592@bugs.debian.org
In-reply-to: <[🔎] 20230911011518.4A9AA6320354@dd20004.kasserver.com>
References: <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] ZP2Yl5wDTOwuCsB4@eldamar.lan> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com> <[🔎] 20230911011518.4A9AA6320354@dd20004.kasserver.com> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com>

Control: tags -1 - moreinfo unreproducible

Hi Timo,

On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote:
> Hi,
> 
> Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00):
> 
> > Would it be possible to provide a minimal set of rules triggering the
> > issue? Can you reproduce the issue with the official build?
> 
> So, I did some more testing on a different machine running the official build. My findings so far are:
> 1) Yes, I can reproduce the issue with the official build.
> 2) The issue depends on the ruleset. The minimal ruleset I have on that machine, doesn't trigger the issue, but when I copy over the ruleset from the machine I first observed this on, then I can reproduce it.
> 
> I'm attaching a somewhat stripped down version of my original, rather complex ruleset. It's by no means a "minimal" reproducer, cause I haven't had the time yet to further reduce it in order to see what actually triggers it. But you should be able to observe that this ruleset loads just fine on linux 6.1.38-4, but doesn't anymore on 6.1.52-1.

Thanks for providing it, this helps debugging the issue.

> I also started looking into what commit could have introduced this. My first guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) is wrong. Even with this one reverted, the issue occurs. I'll try another build with "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening...

Thanks, as soon we have the introducing commit we can go to the next
step and check upstream. I cannot trigger the problem with 6.4.13-1 or
6.5.2.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
  - From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>

Prev by Date: Bug#1051577: iproute2: obsolete conffiles
Next by Date: Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Previous by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Next by thread: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Index(es):
- Date
- Thread