bugzilla-daemon at netfilter.org
2020-Nov-01 18:06 UTC
[Bug 1478] New: Concatenations with ct status do not match
https://bugzilla.netfilter.org/show_bug.cgi?id=1478 Bug ID: 1478 Summary: Concatenations with ct status do not match Product: netfilter/iptables Version: unspecified Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: unknown Assignee: netfilter-buglog at lists.netfilter.org Reporter: c-d.hailfinger.devel.2006 at gmx.net Using "ct status" as part of a concatenation causes a rule to fail matching. It doesn't matter if the concatenation has "ct status" at the beginning or the end, the failure will happen regardless of order. Using "ct status" in a non-concatenated combination works. See below for the packet counters of a single IPv4 SSH connection to port 2222 which gets redirected to port 22. This is especially visible when comparing the following two rules, of which the variant with concatenation never matches: ct status dnat ct status dnat counter ct status . ct status { dnat . dnat } counter Steps to reproduce the issue: Load the ruleset below. Have SSHD running on local port 22. Connect from another machine with ssh -p 2222 targetip Note that the counters in the filter table for concatenations with "ct status" do not increase, whereas the other counters increase. Versions: Debian 10, armhf (Raspberry Pi OS), with backports Linux myhostname 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux libmnl0 1.0.4-2 libnetfilter-conntrack3 1.0.7-1 libnftnl11 1.1.7-1~bpo10+1 libnftables1 0.9.6-1~bpo10+1 nftables 0.9.6-1~bpo10+1 Ruleset: $ nft list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; ct state established,related accept comment "Accept traffic originated from us" tcp dport . ct status { 22 . dnat } counter packets 0 bytes 0 ct status . tcp dport { dnat . 22 } counter packets 0 bytes 0 tcp dport 22 ct status dnat counter packets 1 bytes 60 ct status dnat tcp dport 22 counter packets 1 bytes 60 tcp dport 22 tcp dport 22 counter packets 1 bytes 60 ct status dnat ct status dnat counter packets 1 bytes 60 tcp dport . tcp dport { 22 . 22 } counter packets 1 bytes 60 ct status . ct status { dnat . dnat } counter packets 0 bytes 0 tcp dport 22 counter packets 1 bytes 60 ct status dnat counter packets 1 bytes 60 } chain forward { type filter hook forward priority filter; policy accept; } chain output { type filter hook output priority filter; policy accept; } } table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; tcp dport 2222 counter packets 1 bytes 60 tcp dport 22 counter packets 0 bytes 0 tcp dport 2222 redirect to :22 } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201101/a0290c96/attachment.html>
bugzilla-daemon at netfilter.org
2020-Nov-01 18:09 UTC
[Bug 1478] Concatenations with ct status do not match
https://bugzilla.netfilter.org/show_bug.cgi?id=1478 --- Comment #1 from Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> --- Created attachment 611 --> https://bugzilla.netfilter.org/attachment.cgi?id=611&action=edit Netfilter related kernel config options -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201101/141321fe/attachment.html>
Maybe Matching Threads
- nouveau broken on Riva TNT2 in 5.9.0-rc8: GPU not supported on big-endian
- nouveau broken on Riva TNT2 in 5.9.0-rc8: GPU not supported on big-endian
- [Bug 1371] New: Concatenations Literal sets
- Trouble with simple R list concatenations
- [Bug 1082] New: Hard lockup when inserting nft rules (esp. ct rule)