bugzilla-daemon at netfilter.org
2020-Nov-01 18:06 UTC
[Bug 1478] New: Concatenations with ct status do not match
https://bugzilla.netfilter.org/show_bug.cgi?id=1478
Bug ID: 1478
Summary: Concatenations with ct status do not match
Product: netfilter/iptables
Version: unspecified
Hardware: arm
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: c-d.hailfinger.devel.2006 at gmx.net
Using "ct status" as part of a concatenation causes a rule to fail
matching. It
doesn't matter if the concatenation has "ct status" at the
beginning or the
end, the failure will happen regardless of order.
Using "ct status" in a non-concatenated combination works. See below
for the
packet counters of a single IPv4 SSH connection to port 2222 which gets
redirected to port 22. This is especially visible when comparing the following
two rules, of which the variant with concatenation never matches:
ct status dnat ct status dnat counter
ct status . ct status { dnat . dnat } counter
Steps to reproduce the issue:
Load the ruleset below. Have SSHD running on local port 22. Connect from
another machine with ssh -p 2222 targetip
Note that the counters in the filter table for concatenations with "ct
status"
do not increase, whereas the other counters increase.
Versions:
Debian 10, armhf (Raspberry Pi OS), with backports
Linux myhostname 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
GNU/Linux
libmnl0 1.0.4-2
libnetfilter-conntrack3 1.0.7-1
libnftnl11 1.1.7-1~bpo10+1
libnftables1 0.9.6-1~bpo10+1
nftables 0.9.6-1~bpo10+1
Ruleset:
$ nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ct state established,related accept comment "Accept traffic
originated from us"
tcp dport . ct status { 22 . dnat } counter packets 0 bytes 0
ct status . tcp dport { dnat . 22 } counter packets 0 bytes 0
tcp dport 22 ct status dnat counter packets 1 bytes 60
ct status dnat tcp dport 22 counter packets 1 bytes 60
tcp dport 22 tcp dport 22 counter packets 1 bytes 60
ct status dnat ct status dnat counter packets 1 bytes 60
tcp dport . tcp dport { 22 . 22 } counter packets 1 bytes 60
ct status . ct status { dnat . dnat } counter packets 0 bytes 0
tcp dport 22 counter packets 1 bytes 60
ct status dnat counter packets 1 bytes 60
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 2222 counter packets 1 bytes 60
tcp dport 22 counter packets 0 bytes 0
tcp dport 2222 redirect to :22
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201101/a0290c96/attachment.html>
bugzilla-daemon at netfilter.org
2020-Nov-01 18:09 UTC
[Bug 1478] Concatenations with ct status do not match
https://bugzilla.netfilter.org/show_bug.cgi?id=1478 --- Comment #1 from Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> --- Created attachment 611 --> https://bugzilla.netfilter.org/attachment.cgi?id=611&action=edit Netfilter related kernel config options -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201101/141321fe/attachment.html>
Seemingly Similar Threads
- nouveau broken on Riva TNT2 in 5.9.0-rc8: GPU not supported on big-endian
- nouveau broken on Riva TNT2 in 5.9.0-rc8: GPU not supported on big-endian
- [Bug 1371] New: Concatenations Literal sets
- Trouble with simple R list concatenations
- [Bug 1082] New: Hard lockup when inserting nft rules (esp. ct rule)