bugzilla-daemon at netfilter.org
2019-Dec-04 00:53 UTC
[Bug 1385] New: Incorrectly evaluated expression with negated ip saddr and negated ip daddr
https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Bug ID: 1385 Summary: Incorrectly evaluated expression with negated ip saddr and negated ip daddr Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: spam.fa.ku at gmail.com Version 0.9.0 on Debian Buster (x86_64) as well as Raspbian Buster Lite (RPi 4B) I noticed, that there an expression which contains both an ip daddr and an ip saddr subexpression and both are negated, it seems as if only one of them needs to match in order that the whole expression matches. The following example triggers the bug: define my_address = <IPv4 address> define some_other_address = 1.2.3.4 table ip filter { chain output { type filter hook output priority 0; policy accept; ip saddr != $my_address drop ip saddr != $my_address ip daddr != $some_other_address log group 1 queue-threshold 1 } } Because the first rule already drops all traffic which is not coming from my_address, the second one, which contains the same condition, should never match. However, packets with source address = my_address can still be obtained in the log (I used ulogd2). The bug seems to be gone in higher versions (tested with 0.9.2 on debian-testing). This might be a somewhat special case, but because this is the version which is supported by the current stable Debian and probably others, it might affect some others as well. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191204/b2b5366e/attachment.html>
bugzilla-daemon at netfilter.org
2019-Dec-04 09:00 UTC
[Bug 1385] Incorrectly evaluated expression with negated ip saddr and negated ip daddr
https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- You can also install nftables from the Debian backports repository, that offers 0.9.2 (by the time I'm writing this). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191204/f0161bd4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 22:24 UTC
[Bug 1385] Incorrectly evaluated expression with negated ip saddr and negated ip daddr
https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/58b0ec3c/attachment.html>
Reasonably Related Threads
- [Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
- Custom build kernel patch fails big time.
- [Bug 1397] New: What am I doing wrong!?
- [Bug 1112] New: xtables-compat-multi fails to parse comments
- [Bug 1261] New: nft trace crash with msg "BUG: invalid verdict value 2"