Package: iptables
Version: 1.8.7-1
Severity: normal
Tags: patch
Dear Maintainers,
* What led up to the situation?
As a packet filter for a webserver, nftables is used via xtables
compatibility wrappers iptables by legacy scripts. They utilize
"ip(6)tables" to populate rulesets, also defining sets and hashlimits.
Since i am in the process of porting these scripts to the native
nftables scripting environment, i was analyzing the chains as
presented by "iptables (nf_tables variant)" and "nft".
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
Listing the INPUT chain with "iptables -L" succeeds:
...
root@host:~ # iptables -V
iptables v1.8.7 (nf_tables)
root@host:~ # iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
88384 7886K ACCEPT all lo * ::/0 ::/0
14257 856K DROP all * * ::/0 ::/0 state INVALID
4952 339K SET all * * ::/0 ::/0 state NEW !
match-set ipv6_scanned_ports src,dst limit: above 1/hour burst 5 mode srcip
htable-expire 10000 add-set ipv6_port_scanners src exist
...
Listing the chain INPUT with "nft list ruleset" fails with SIGFPE.
...
root@host:~ # nft --version
nftables v0.9.8 (E.D.S.)
root@host:~# nft list chain ip6 filter INPUT
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy drop;
rt type 0 counter packets 0 bytes 0 drop
iifname "lo" counter packets 88376 bytes 7885680 accept
ct state invalid counter packets 14257 bytes 856062 drop
ct state new # ! match-set ipv6_scanned_ports src,dst Floating
point exception (core dumped)
...
Recompiling the "iptables" package with debug symbols reveals:
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b47ce9 in print_packets_rate_xlate () from
/usr/lib/x86_64-linux-gnu/xtables/libxt_hashlimit.so
I suspect divisions and modulo in extensions/libxt_hashlimit.c,
print_packets_rate_xlate(), lines 1224f:
xt_xlate_add(xl, " %" PRIu64 "/%s ",
_rates[i-1].mult / avg, _rates[i-1].name);
I do not understand why "avg" is zero if the ruleset is listed by "nft"
and nonzero if listed by "iptables".
If i normalize the value of avg to 1, as shown in the following patch,
then the SIGFPE goes away, but the comment behind "ct state new" does not
correctly reflect the iptables ruleset:
--- iptables-1.8.7.orig/extensions/libxt_hashlimit.c
+++ iptables-1.8.7/extensions/libxt_hashlimit.c
@@ -1218,11 +1218,11 @@ static void print_packets_rate_xlate(str
for (i = 1; i < ARRAY_SIZE(rates); ++i)
if (avg > _rates[i].mult ||
- _rates[i].mult / avg < _rates[i].mult % avg)
+ _rates[i].mult / (avg ? avg : 1) < _rates[i].mult % (avg ? avg : 1))
break;
xt_xlate_add(xl, " %" PRIu64 "/%s ",
- _rates[i-1].mult / avg, _rates[i-1].name);
+ _rates[i-1].mult / (avg ? avg : 1), _rates[i-1].name);
}
...
root@host:~# nft list chain ip6 filter INPUT
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy drop;
rt type 0 counter packets 0 bytes 0 drop
iifname "lo" counter packets 88440 bytes 7891400 accept
ct state invalid counter packets 14262 bytes 856362 drop
ct state new # ! match-set ipv6_scanned_ports src,dst meter
portscan { timeout 0s limit rate 10000/second burst 0 packets} counter packets
4952 bytes 339382 # add-set ipv6_port_scanners src exist
...
* What outcome did you expect instead?
I do not expect informational comments in "nft list ..." to reflect any
legacy/non-portable properties of an ip6tables ruleset, but i expect
"nft list ..." to list the effective nftables ruleset.
Kind regards,
Tilman
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc6 2.31-13
ii libip4tc2 1.8.7-1
ii libip6tc2 1.8.7-1
ii libmnl0 1.0.4-3
ii libnetfilter-conntrack3 1.0.8-3
ii libnfnetlink0 1.0.1-3+b1
ii libnftnl11 1.1.9-1
ii libxtables12 1.8.7-1
ii netbase 6.3
Versions of packages iptables recommends:
ii nftables 0.9.8-3.1
Versions of packages iptables suggests:
pn firewalld <none>
ii kmod 28-1
-- no debconf information
