bugzilla-daemon at netfilter.org
2018-Jan-30 14:40 UTC
[Bug 1221] New: "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Bug ID: 1221
Summary: "fib" produces strange results with an IPv6
default
route
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: f30 at f30.me
I am trying to implement reverse path filtering using "fib" rules like
`fib
saddr . iif oif 0 drop`.
I don't understand why exactly (see #1220), but this generally works for
IPv4
and IPv6 without a default route. However, "fib" starts to behave
strangely
with a v6 default route.
Assume a host with two interfaces, enp0s5 and enp0s6, and the following IP
addresses:
> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UP group default qlen 1000
link/ether 00:1c:42:87:bf:33 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global enp0s5
valid_lft forever preferred_lft forever
inet6 fd00::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21c:42ff:fe87:bf33/64 scope link
valid_lft forever preferred_lft forever
3: enp0s6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UP group default qlen 1000
link/ether 00:1c:42:5c:28:c0 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.3/24 brd 10.1.1.255 scope global enp0s6
valid_lft forever preferred_lft forever
inet6 fd11::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21c:42ff:fe5c:28c0/64 scope link
valid_lft forever preferred_lft forever
The routing table for v6 looks fairly unsurprising:
> ip -6 r
fd00::/64 dev enp0s5 proto kernel metric 256 pref medium
fd11::/64 dev enp0s6 proto kernel metric 256 pref medium
fe80::/64 dev enp0s5 proto kernel metric 256 pref medium
fe80::/64 dev enp0s6 proto kernel metric 256 pref medium
Let's add some "fib" rules to get the following ruleset.
(Only using counter statements and adding matches for "enp0s5" and
"enp0s6" for
demonstration purposes. I'm using the "inet" family here, but the
behavior can
also be replicated with "ip6".)
> nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet raw {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
fib saddr . iif oif 0 udp dport 1337 counter packets 0 bytes 0
fib saddr . iif oif "enp0s5" udp dport 1337 counter packets
0 bytes 0
fib saddr . iif oif "enp0s6" udp dport 1337 counter packets
0 bytes 0
}
}
Using Scapy on another host, we now send some packets to the wrong interface
(to enp0s6 with a source address belonging to enp0s5's net):
>>> e = Ether(dst='00:1c:42:5c:28:c0')
>>> i = IPv6(src='fd00::1', dst='fd11::3')
>>> u = UDP(dport=1337)
>>> sendp(e / i / u, iface='vnic3')
.
Sent 1 packets.
In this case, everything works as expected and the first "fib" rule
matches:
> nft list chain inet raw prerouting
table inet raw {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
fib saddr . iif oif 0 udp dport 1337 counter packets 1 bytes 48
fib saddr . iif oif "enp0s5" udp dport 1337 counter packets
0 bytes 0
fib saddr . iif oif "enp0s6" udp dport 1337 counter packets
0 bytes 0
}
}
Let's add a default route now:
> ip -6 r add default via fd11::1
> ip -6 r
fd00::/64 dev enp0s5 proto kernel metric 256 pref medium
fd11::/64 dev enp0s6 proto kernel metric 256 pref medium
fe80::/64 dev enp0s5 proto kernel metric 256 pref medium
fe80::/64 dev enp0s6 proto kernel metric 256 pref medium
default via fd11::1 dev enp0s6 metric 1024 pref medium
We reset the counters, repeat the Scapy `sendp()` from above and look at the
counters again:
> nft list chain inet raw prerouting
table inet raw {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
fib saddr . iif oif 0 udp dport 1337 counter packets 0 bytes 0
fib saddr . iif oif "enp0s5" udp dport 1337 counter packets
0 bytes 0
fib saddr . iif oif "enp0s6" udp dport 1337 counter packets
1 bytes
48
}
}
By adding a route which should have nothing to do with the respective lookup,
we were able to change the result of our "fib" expressions!
For reference, here's a route lookup for the source address:
> ip -6 r get fd00::1
fd00::1 from :: dev enp0s5 proto kernel src fd00::3 metric 256 pref medium
No surprises here, so I suppose the bug is in Netfilter or nftables.
Everything works as expected for IPv4. I observed this with Kernel
4.14.0-3-amd64 and nft 0.8.1 on Debian Testing.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180130/288f3232/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-01 12:54 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180201/75397bf1/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-05 16:02 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|pablo at netfilter.org |fw at strlen.de
--- Comment #1 from Florian Westphal <fw at strlen.de> ---
Created attachment 527
--> https://bugzilla.netfilter.org/attachment.cgi?id=527&action=edit
don
Thanks for the detailed bug report, does this patch fix the bug for you?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180205/68ff313d/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-07 16:04 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Felix Dreissig <f30 at f30.me> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |f30 at f30.me
--- Comment #2 from Felix Dreissig <f30 at f30.me> ---
(In reply to Florian Westphal from comment #1)> Thanks for the detailed bug report, does this patch fix the bug for you?
Thanks for your quick response!
Unfortunately, I can still reproduce the issue even with the patch applied.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180207/84d3ec24/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-09 12:02 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221 --- Comment #3 from Florian Westphal <fw at strlen.de> --- Created attachment 528 --> https://bugzilla.netfilter.org/attachment.cgi?id=528&action=edit remove multipath relookup (In reply to Felix Dreissig from comment #2)> (In reply to Florian Westphal from comment #1) > > Thanks for the detailed bug report, does this patch fix the bug for you? > > Thanks for your quick response! > Unfortunately, I can still reproduce the issue even with the patch applied.Indeed, I failed to reproduce your setup correctly. Attached patch "fixes" the problem, fib inherited this behaviour from ip6t_rpfilter. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180209/b4a578d6/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-09 17:23 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221 --- Comment #4 from Felix Dreissig <f30 at f30.me> --- (In reply to Florian Westphal from comment #3)> Attached patch "fixes" the problem, fib inherited this behaviour from > ip6t_rpfilter.Thanks again, I can confirm that this patch fixes the issue. You're also right about ip6t_rpfilter, I was able to reproduce the buggy behavior with ip6tables as well o_O. Should that be reported as a separate bug, or are you gonna handle it as well? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180209/72815fb1/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-09 17:29 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221 --- Comment #5 from Florian Westphal <fw at strlen.de> --- (In reply to Felix Dreissig from comment #4)> (In reply to Florian Westphal from comment #3) > > Attached patch "fixes" the problem, fib inherited this behaviour from > > ip6t_rpfilter. > > Thanks again, I can confirm that this patch fixes the issue. > > You're also right about ip6t_rpfilter, I was able to reproduce the buggy > behavior with ip6tables as well o_O. Should that be reported as a separate > bug, or are you gonna handle it as well?No need, I'll handle it in one go. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180209/9a5fff90/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-26 13:44 UTC
[Bug 1221] "fib" produces strange results with an IPv6 default route
https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #6 from Florian Westphal <fw at strlen.de> ---
(In reply to Florian Westphal from comment #5)> > Thanks again, I can confirm that this patch fixes the issue.
> >
> > You're also right about ip6t_rpfilter, I was able to reproduce the
buggy
> > behavior with ip6tables as well o_O. Should that be reported as a
separate
> > bug, or are you gonna handle it as well?
>
> No need, I'll handle it in one go.
Patches for both fib and ip6tables rpfilter are now upstream.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180226/bfd87241/attachment.html>