bugzilla-daemon at netfilter.org
2018-Nov-24 15:19 UTC
[Bug 1303] New: nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303
Bug ID: 1303
Summary: nft improperly merges intervals
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: trever at middleearth.sapphiresunday.org
Please consider the following rules:
oifname "ppp0" ip saddr { 10.0.0.0/23, 10.1.1.0/24 } counter
packets 76
bytes 4704 masquerade
oifname "ppp0" ip saddr 10.1.1.0/25 counter packets 0 bytes 0
masquerade
oifname "ppp0" ip saddr 10.0.1.0/24 counter packets 0 bytes 0
masquerade
oifname "ppp0" ip saddr 10.0.0.0/24 counter packets 0 bytes 0
masquerade
oifname "ppp0" ip saddr 10.1.1.128/25 counter packets 0 bytes
0
masquerade
The second and last are properly merged in the first (which should have four
entries without merging). Combining the third and fourth into a /23 is NOT
correct. If this was a block rule, it would lead to improperly denying things,
if it was an accept it is a huge security hole. Masquerade... there are reasons
it is likely a security hole as well.
I assume this is a user space and not kernel problem, but it is just as likely
the other.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181124/71d90ea9/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-27 08:42 UTC
[Bug 1303] nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Rules are evaluated linearly, the first rule is shadowing the follow up ones.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181127/1d43737e/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-27 12:51 UTC
[Bug 1303] nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303
--- Comment #2 from trever at middleearth.sapphiresunday.org ---
I am sorry for not being clear. The following command created the first rule
listed in my first description of the bug:
nft add rule ip nat postrouting oifname "ppp0" ip saddr { 10.1.1.0/25,
10.0.1.0/24, 10.0.0.0/24, 10.1.1.128/25 } counter masquerade
Again, the first and last entries are merged correctly as the second
(10.1.1.0/24). However, the second and third do NOT correctly merge as
10.0.0.0/23, this assumes 10.0.2-255.x are in the rule as well. The other rules
were simply there for illustration. I am aware they would be masked by the
first.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181127/117c68bb/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-27 12:54 UTC
[Bug 1303] nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303 --- Comment #3 from trever at middleearth.sapphiresunday.org --- Sorry, I should use the same terms you are. I am aware that in the initial post the first rule would shadow the rest. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181127/7b9319d3/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-29 13:07 UTC
[Bug 1303] nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303 --- Comment #4 from trever at middleearth.sapphiresunday.org --- I am sorry. I do not know what I was thinking. I do think this merge is accurate after all. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181129/ee0e4e9e/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 10:08 UTC
[Bug 1303] nft improperly merges intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1303
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |WORKSFORME
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/cdda6800/attachment.html>