Public bug reported:
[Impact]
After kernel fixes for CVE-2023-4147/CVE-2023-3995 were applied, the kernel
nftables module does not accept certain bogus rules that were built by the nft
tool. A fix for nft was provided to produce rules as now expected by the kernel.
[Test case]
Running nftables testcase 0041chain_binding_0 on linux-5.15.0-83-generic or
linux-6.2.0-32-generic will will show the following error:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
W: [FAILED] ./testcases/chains/0041chain_binding_0: got 1
/dev/stdin:5:25-95: Error: Could not process rule: Operation not supported
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24
} counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/dev/stdin:6:25-56: Error: Could not process rule: Operation not supported
ip6 saddr ::1/128 counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
The expected result is:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
I: [OK] ./testcases/chains/0041chain_binding_0
I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Another test case is trying to run nft -f test.nft with the following
contents on test.nft:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw;
tcp flags syn jump {
tcp option maxseg size 1-500 counter drop
tcp sport 0 counter drop
}
rt type 0 counter drop
}
}
A broken nft will produce:
./test.nft:10:4-44: Error: Could not process rule: Operation not supported
tcp option maxseg size 1-500 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
./test.nft:11:4-27: Error: Could not process rule: Operation not supported
tcp sport 0 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^
A fixed nft will produce no output, but a following 'nft list ruleset' command
will show:
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw; policy accept;
tcp flags syn jump {
tcp option maxseg size 1-500 counter packets 0 bytes 0
drop
tcp sport 0 counter packets 0 bytes 0 drop
}
rt type 0 counter packets 0 bytes 0 drop
}
}
[Potential regressions]
Users rulesets may fail to load or produce incorrect results, like allowing or
denying certain packages in their firewall, for example.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Won't Fix
** Affects: nftables (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: Won't Fix
** Affects: nftables (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Lunar)
Importance: Undecided
Status: Won't Fix
** Affects: nftables (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2035285
Title:
nft cannot load certain rulesets after kernel upgrade
Status in linux package in Ubuntu:
Won't Fix
Status in nftables package in Ubuntu:
New
Status in linux source package in Jammy:
Won't Fix
Status in nftables source package in Jammy:
New
Status in linux source package in Lunar:
Won't Fix
Status in nftables source package in Lunar:
New
Bug description:
[Impact]
After kernel fixes for CVE-2023-4147/CVE-2023-3995 were applied, the kernel
nftables module does not accept certain bogus rules that were built by the nft
tool. A fix for nft was provided to produce rules as now expected by the kernel.
[Test case]
Running nftables testcase 0041chain_binding_0 on linux-5.15.0-83-generic or
linux-6.2.0-32-generic will will show the following error:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
W: [FAILED] ./testcases/chains/0041chain_binding_0: got 1
/dev/stdin:5:25-95: Error: Could not process rule: Operation not supported
ip saddr { 127.0.0.0/8, 172.23.0.0/16,
192.168.13.0/24 } counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/dev/stdin:6:25-56: Error: Could not process rule: Operation not supported
ip6 saddr ::1/128 counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
The expected result is:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
I: [OK] ./testcases/chains/0041chain_binding_0
I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Another test case is trying to run nft -f test.nft with the following
contents on test.nft:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw;
tcp flags syn jump {
tcp option maxseg size 1-500 counter drop
tcp sport 0 counter drop
}
rt type 0 counter drop
}
}
A broken nft will produce:
./test.nft:10:4-44: Error: Could not process rule: Operation not supported
tcp option maxseg size 1-500 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
./test.nft:11:4-27: Error: Could not process rule: Operation not supported
tcp sport 0 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^
A fixed nft will produce no output, but a following 'nft list ruleset'
command will show:
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw; policy accept;
tcp flags syn jump {
tcp option maxseg size 1-500 counter packets 0 bytes
0 drop
tcp sport 0 counter packets 0 bytes 0 drop
}
rt type 0 counter packets 0 bytes 0 drop
}
}
[Potential regressions]
Users rulesets may fail to load or produce incorrect results, like allowing
or denying certain packages in their firewall, for example.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2035285/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
