** Description changed: physdev iptables match was broken in a stable update. - A fix is described in upstream releases 5.15.109 and 6.1.26 + + A fix was already committed in upstream releases + 5.4.242 + 5.15.109 + 6.1.26 + 6.2.13 / LP: #2023929 == Regression details == Discovered in version: 5.19.0-42.43~22.04.1 Last known good version: 5.19.0-41.42~22.04.1 How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked: # iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me" # iptables -nvL INPUT | grep watch The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably. - LP: #2015511 - LP: #2012665 + bug introduced, bridge info discarded + 5.4.232 dffe83a198a6c293155f99958e51ab84442424c5 LP: #2011625 + 5.15.93 89a69216f17005e28bd9a333662dcb3247dd0f56 LP: #2015511 + 6.1.11 a1512f11ec02458c0986f169f29c90a92c150cc4 LP: #2012665 + 6.2 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba + netfilter: br_netfilter: disable sabotage_in hook after first suppression - bridge info discarded after 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba - "netfilter: br_netfilter: disable sabotage_in hook after first suppression" - - bridge info no longer discarded after 94623f579ce338b5fa61b5acaa5beb8aa657fb9e - "netfilter: br_netfilter: fix recent physdev match breakage" + fixed, bridge info no longer discarded + 5.4.242 36f098e1e4d1a372329c6244b220047a19e60dbd + 5.15.109 cb9b96c154a10dd4802b82281c9246eabe081026 + 6.1.26 ea854a25c8327f51f7ff529b745794a985185563 + 6.2.13 22134b86de9c2afe28e1f406062cd93bdcac4149 + master 94623f579ce338b5fa61b5acaa5beb8aa657fb9e + netfilter: br_netfilter: fix recent physdev match breakage related module names: xt_physdev nft_meta_bridge br_netfilter
** Patch added: "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94623f579ce338b5fa61b5acaa5beb8aa657fb9e"; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94623f579ce338b5fa61b5acaa5beb8aa657fb9e -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2020524 Title: iptables physdev match broken via upstream stable patchset 2023-04-06 / v5.15.93, fixed upstream in 5.15.109 Status in linux package in Ubuntu: Fix Committed Bug description: physdev iptables match was broken in a stable update. A fix was already committed in upstream releases 5.4.242 5.15.109 6.1.26 6.2.13 / LP: #2023929 == Regression details == Discovered in version: 5.19.0-42.43~22.04.1 Last known good version: 5.19.0-41.42~22.04.1 How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked: # iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me" # iptables -nvL INPUT | grep watch The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably. bug introduced, bridge info discarded 5.4.232 dffe83a198a6c293155f99958e51ab84442424c5 LP: #2011625 5.15.93 89a69216f17005e28bd9a333662dcb3247dd0f56 LP: #2015511 6.1.11 a1512f11ec02458c0986f169f29c90a92c150cc4 LP: #2012665 6.2 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba netfilter: br_netfilter: disable sabotage_in hook after first suppression fixed, bridge info no longer discarded 5.4.242 36f098e1e4d1a372329c6244b220047a19e60dbd 5.15.109 cb9b96c154a10dd4802b82281c9246eabe081026 6.1.26 ea854a25c8327f51f7ff529b745794a985185563 6.2.13 22134b86de9c2afe28e1f406062cd93bdcac4149 master 94623f579ce338b5fa61b5acaa5beb8aa657fb9e netfilter: br_netfilter: fix recent physdev match breakage related module names: xt_physdev nft_meta_bridge br_netfilter To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2020524/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
