Bug#1051592: Regression: Commit "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable
- To: regressions@lists.linux.dev, fw@strlen.de
- Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, sashal@kernel.org, carnil@debian.org, 1051592@bugs.debian.org
- Subject: Bug#1051592: Regression: Commit "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable
- From: "Timo Sigurdsson" <public_timo.s@silentcreek.de>
- Date: Tue, 12 Sep 2023 13:47:29 +0200 (CEST)
- Message-id: <[🔎] 20230912114729.EFBC26320998@dd20004.kasserver.com>
- Reply-to: "Timo Sigurdsson" <public_timo.s@silentcreek.de>, 1051592@bugs.debian.org
- In-reply-to: <[🔎] 20230912102701.GA13516@breakpoint.cc>
- References: <20230911213750.5B4B663206F5@dd20004.kasserver.com> <ZP+bUpxJiFcmTWhy@calendula> <[🔎] b30a81fa-6b59-4bac-b109-99a4dca689de@leemhuis.info><[🔎] 20230912102701.GA13516@breakpoint.cc> <[🔎] 20230910083845.8232D6320570@dd20004.kasserver.com>
Hi,
Florian Westphal schrieb am 12.09.2023 12:27 (GMT +02:00):
> Linux regression tracking (Thorsten Leemhuis) <regressions@leemhuis.info>
> wrote:
>> On 12.09.23 00:57, Pablo Neira Ayuso wrote:
>> > Userspace nftables v1.0.6 generates incorrect bytecode that hits a new
>> > kernel check that rejects adding rules to bound chains. The incorrect
>> > bytecode adds the chain binding, attach it to the rule and it adds the
>> > rules to the chain binding. I have cherry-picked these three patches
>> > for nftables v1.0.6 userspace and your ruleset restores fine.
>> > [...]
>>
>> Hmmmm. Well, this sounds like a kernel regression to me that normally
>> should be dealt with on the kernel level, as users after updating the
>> kernel should never have to update any userspace stuff to continue what
>> they have been doing before the kernel update.
>
> This is a combo of a userspace bug and this new sanity check that
> rejects the incorrect ordering (adding rules to the already-bound
> anonymous chain).
>
Out of curiosity, did the incorrect ordering or bytecode from the older userspace components actually lead to a wrong representation of the rules in the kernel or did the rules still work despite all that?
Thanks,
Timo
Reply to: