Public bug reported:
physdev iptables match was broken in a stable update.
A fix is described in upstream releases 5.15.109 and 6.1.26
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION
needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and
consistently so: negation works. Security impact highly depends on rule
design. KVM hosts, probably.
LP: #2015511
LP: #2012665
bridge info discarded after 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
"netfilter: br_netfilter: disable sabotage_in hook after first suppression"
bridge info no longer discarded after 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
"netfilter: br_netfilter: fix recent physdev match breakage"
related module names: xt_physdev nft_meta_bridge br_netfilter
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Fix Committed
** Changed in: linux (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2020524
Title:
iptables physdev match broken via upstream stable patchset 2023-04-06
/ v5.15.93, fixed upstream in 5.15.109
Status in linux package in Ubuntu:
Fix Committed
Bug description:
physdev iptables match was broken in a stable update.
A fix is described in upstream releases 5.15.109 and 6.1.26
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION
needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic,
and consistently so: negation works. Security impact highly depends on
rule design. KVM hosts, probably.
LP: #2015511
LP: #2012665
bridge info discarded after 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
"netfilter: br_netfilter: disable sabotage_in hook after first suppression"
bridge info no longer discarded after 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
"netfilter: br_netfilter: fix recent physdev match breakage"
related module names: xt_physdev nft_meta_bridge br_netfilter
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2020524/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
