Bug#913088: iptables: nftables layer breaks rule parameter -f , --fragment

S. G. Tue, 06 Nov 2018 12:18:28 -0800

Package: iptables
Version: 1.8.1-2
Severity: grave
Justification: renders package unusable


Dear Maintainer,

installing and activating arno-iptables-firewall today resulted in blocking any
outgoing network traffic.

Investigations showed that the -f parameter is interpreted differently with
iptables in comparison to iptables-legacy. iptables-legacy behaves like
described in the man page and how iptables 1.6.0+snapshot20161117-6 from
stretch behaves:

-f, --fragment This means that the rule only refers to second and further IPv4
fragments of fragmented packets.

iptables 1.8.1-2 in contrast seems to interpret -f as 'Apply this rule to all
packages with the Don't Fragment Flag set.

Proof:

# Test with no rules

        # iptables -S
        -P INPUT ACCEPT
        -P FORWARD DROP
        -P OUTPUT ACCEPT
        # Warning: iptables-legacy tables present, use iptables-legacy to see
them

        # iptables-legacy -S
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT

# Ping with set Don't Fragment Flag works

        # LANG=C ping -c1 -Mdo 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.16 ms

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 4.158/4.158/4.158/0.000 ms

# Ping with cleared Don't Fragment Flag works

        # LANG=C ping -c1 -Mdont 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=3.98 ms

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 3.975/3.975/3.975/0.000 ms

# Test with rule meant to drop second and further fragments

        # iptables -A OUTPUT -f -j DROP

        # iptables -S
        -P INPUT ACCEPT
        -P FORWARD DROP
        -P OUTPUT ACCEPT
        -A OUTPUT -f -j DROP
        # Warning: iptables-legacy tables present, use iptables-legacy to see
them

        # iptables-legacy -S
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT

# Ping with set Don't Fragment Flag DOES NOT work

        # LANG=C ping -c1 -Mdo 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        ping: sendmsg: Operation not permitted

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 0 received, 100% packet loss, time 0ms

# Ping with cleared Don't Fragment Flag works

        # LANG=C ping -c1 -Mdont 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.56 ms

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 4.563/4.563/4.563/0.000 ms

# Test with iptables-legacy and rule meant to drop second and further fragments

        # iptables -F

        # iptables-legacy -F

        # iptables-legacy -A OUTPUT -f -j DROP

        # iptables-legacy -S
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT
        -A OUTPUT -f -j DROP

# Ping with set Don't Fragment Flag works

        # LANG=C ping -c1 -Mdo 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.09 ms

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 4.091/4.091/4.091/0.000 ms

# Ping with cleared Don't Fragment Flag works

        # LANG=C ping -c1 -Mdont 192.168.0.28
        PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data.
        64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.18 ms

        --- 192.168.0.28 ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 4.179/4.179/4.179/0.000 ms


As most if not all network packets are sent with set Don't Fragment Flag a rule
using the -f parameter effectively blocks any network traffic.

The current behavior renders a firewall like arno-iptables-firewall unusable.

Regards,
Sven



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.27-8
ii  libip4tc0                1.8.1-2
ii  libip6tc0                1.8.1-2
ii  libiptc0                 1.8.1-2
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl7                1.1.1-1
ii  libxtables12             1.8.1-2

iptables recommends no packages.

Versions of packages iptables suggests:
ii  kmod  25-1

-- no debconf information

Bug#913088: iptables: nftables layer breaks rule parameter -f , --fragment

Reply via email to