This bug is missing log files that will aid in diagnosing the problem.
While running an Ubuntu kernel (not a mainline or third-party kernel)
please enter the following command in a terminal window:
apport-collect 2035285
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
** Changed in: linux (Ubuntu Jammy)
Status: New => Incomplete
** Changed in: linux (Ubuntu Lunar)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2035285
Title:
nft cannot load certain rulesets after kernel upgrade
Status in linux package in Ubuntu:
Won't Fix
Status in nftables package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Won't Fix
Status in nftables source package in Jammy:
New
Status in linux source package in Lunar:
Won't Fix
Status in nftables source package in Lunar:
New
Bug description:
[Impact]
After kernel fixes for CVE-2023-4147/CVE-2023-3995 were applied, the kernel
nftables module does not accept certain bogus rules that were built by the nft
tool. A fix for nft was provided to produce rules as now expected by the kernel.
[Test case]
Running nftables testcase 0041chain_binding_0 on linux-5.15.0-83-generic or
linux-6.2.0-32-generic will will show the following error:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
W: [FAILED] ./testcases/chains/0041chain_binding_0: got 1
/dev/stdin:5:25-95: Error: Could not process rule: Operation not supported
ip saddr { 127.0.0.0/8, 172.23.0.0/16,
192.168.13.0/24 } counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/dev/stdin:6:25-56: Error: Could not process rule: Operation not supported
ip6 saddr ::1/128 counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
The expected result is:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft
./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft
I: [OK] ./testcases/chains/0041chain_binding_0
I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Another test case is trying to run nft -f test.nft with the following
contents on test.nft:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw;
tcp flags syn jump {
tcp option maxseg size 1-500 counter drop
tcp sport 0 counter drop
}
rt type 0 counter drop
}
}
A broken nft will produce:
./test.nft:10:4-44: Error: Could not process rule: Operation not supported
tcp option maxseg size 1-500 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
./test.nft:11:4-27: Error: Could not process rule: Operation not supported
tcp sport 0 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^
A fixed nft will produce no output, but a following 'nft list ruleset'
command will show:
table inet filter {
chain PREROUTING_RAW {
type filter hook prerouting priority raw; policy accept;
tcp flags syn jump {
tcp option maxseg size 1-500 counter packets 0 bytes
0 drop
tcp sport 0 counter packets 0 bytes 0 drop
}
rt type 0 counter packets 0 bytes 0 drop
}
}
[Potential regressions]
Users rulesets may fail to load or produce incorrect results, like allowing
or denying certain packages in their firewall, for example.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2035285/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
