[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables



Control: tags -1 - moreinfo unreproducible

Hi Timo,

On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote:
> Hi,
> 
> Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00):
> 
> > Would it be possible to provide a minimal set of rules triggering the
> > issue? Can you reproduce the issue with the official build?
> 
> So, I did some more testing on a different machine running the official build. My findings so far are:
> 1) Yes, I can reproduce the issue with the official build.
> 2) The issue depends on the ruleset. The minimal ruleset I have on that machine, doesn't trigger the issue, but when I copy over the ruleset from the machine I first observed this on, then I can reproduce it.
> 
> I'm attaching a somewhat stripped down version of my original, rather complex ruleset. It's by no means a "minimal" reproducer, cause I haven't had the time yet to further reduce it in order to see what actually triggers it. But you should be able to observe that this ruleset loads just fine on linux 6.1.38-4, but doesn't anymore on 6.1.52-1.

Thanks for providing it, this helps debugging the issue.

> I also started looking into what commit could have introduced this. My first guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) is wrong. Even with this one reverted, the issue occurs. I'll try another build with "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening...

Thanks, as soon we have the introducing commit we can go to the next
step and check upstream. I cannot trigger the problem with 6.4.13-1 or
6.5.2.

Regards,
Salvatore


Reply to: