netfilter buglog - Jun 2016 - [Bug 1073] New: inet-service vs icmp conflict

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

            Bug ID: 1073
           Summary: inet-service vs icmp conflict
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: frederik.schwan at linux.com

netfilter v0.6

what does not work:
table inet filter {
  chain input {
    icmp type echo-request limit rate 10/second accept
    icmpv6 type echo-request limit rate 10/second accept
  }
}
gives a "Error: conflicting protocols specified: inet-service vs.
icmp"


fix:
table inet filter {
  chain input {
    meta nfproto ipv4 icmp type echo-request limit rate 10/second accept
    meta nfproto ipv6 icmpv6 type echo-request limit rate 10/second accept
  }
}

Is this behavior intentional?

Related conversations:
http://www.spinics.net/lists/netfilter/msg55433.html
http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.devel/53202

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160607/cbcee584/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

frederik.schwan at linux.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |frederik.schwan at linux.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160607/1a9ec471/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

Arturo Borrero Gonzalez <arturo.borrero.glez at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |arturo.borrero.glez at gmail.c
                   |                            |om

--- Comment #1 from Arturo Borrero Gonzalez <arturo.borrero.glez at
gmail.com> ---
The bug is present in even a more obvious way:

% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-solicit
--debug=netlink

inet t c 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 1b @ network header + 6 => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000087 ]

However: 

% nft list ruleset --debug=netlink
inet t c 14 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 1b @ network header + 6 => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000087 ]

table inet t {
    chain c {
        icmpv6 type nd-neighbor-solicit
    }
}

% nft add rule inet t c icmpv6 type nd-neighbor-solicit
<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service
vs.
icmpv6
add rule inet t c icmpv6 type nd-neighbor-solicit
                  ^^^^^^^^^^^

The rule produced by listing can't be added again

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160609/4723c720/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Created attachment 478
  --> https://bugzilla.netfilter.org/attachment.cgi?id=478&action=edit
tentative fix

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160609/0238e7c0/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
The following patch that I'm attaching seems to work here.

However, this generates a bit loose bytecode:

# nft --debug=netlink add rule inet x y icmpv6 type 1
inet x y 
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]

Note that meta load l4proto fetches the layer 4 protocol number. Hopefully,
ICMPv6 has its own protocol number different from ICMPv4. But still, this rule
allows IPv4 packets using icmpv6 protocol number going through when the inet
family is used, which is not correct.

In this particular case, payload_add_dependency() I think we should generate a
double dependency. Let me revisit this.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160609/bd9a9c66/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1073

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
commit 0011985554e269e1cc8f8e5b41eb9dcd795ebe8c fixes this problem upstream.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170127/86cb0b7e/attachment.html>