netfilter buglog - Dec 2019 - [Bug 1385] New: Incorrectly evaluated expression with negated ip saddr and negated ip daddr

https://bugzilla.netfilter.org/show_bug.cgi?id=1385

            Bug ID: 1385
           Summary: Incorrectly evaluated expression with negated ip saddr
                    and negated ip daddr
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: spam.fa.ku at gmail.com

Version 0.9.0 on Debian Buster (x86_64) as well as Raspbian Buster Lite (RPi
4B)

I noticed, that there an expression which contains both an ip daddr and an ip
saddr subexpression and both are negated, it seems as if only one of them needs
to match in order that the whole expression matches.

The following example triggers the bug:

define my_address = <IPv4 address>
define some_other_address = 1.2.3.4  

table ip filter {         
    chain output {                 
        type filter hook output priority 0; policy accept;

        ip saddr != $my_address drop
        ip saddr != $my_address ip daddr != $some_other_address log group 1
queue-threshold 1
    }
}

Because the first rule already drops all traffic which is not coming from
my_address, the second one, which contains the same condition, should never
match.
However, packets with source address = my_address can still be obtained in the
log (I used ulogd2).

The bug seems to be gone in higher versions (tested with 0.9.2 on
debian-testing).

This might be a somewhat special case, but because this is the version which is
supported by the current stable Debian and probably others, it might affect
some others as well.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191204/b2b5366e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1385

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
You can also install nftables from the Debian backports repository, that offers
0.9.2 (by the time I'm writing this).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191204/f0161bd4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1385

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/58b0ec3c/attachment.html>