netfilter buglog - Apr 2023 - [Bug 1673] New: bug egress hook virtio interface with VLAN

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

            Bug ID: 1673
           Summary: bug egress hook virtio interface with VLAN
           Product: nftables
           Version: 1.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: r.gabet at biche.org

Sorry, for my english.

I have a problem with egress hook on VLAN interface, I want to match dhcp
output traffic on virtual machine with nftables.
On a virtio interface, is not working (it's working with no VLAN), but on
E1000
interface, it's working, I think there is a bug.


Config :

Linux test 6.2.10-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 07 Apr 2023 02:10:43
+0000 x86_64 GNU/Linux
nftables v1.0.7 (Old Doc Yak)
dhcpcd 9.4.1
isc-dhclient-4.4.3-P1

virtio interface : enp6s19
E1000 interface : enp6s20

I made tests with this ruleset :

table netdev filter {
        chain egress {
                type filter hook egress device "enp6s19.100" priority
filter;
policy accept;
                meta nftrace set 1
                log group 30
                udp sport 68 udp dport 67 counter packets 0 bytes 0
        }

        chain egress2 {
                type filter hook egress device "enp6s20.100" priority
filter;
policy accept;
                meta nftrace set 1
                log group 31
                udp sport 68 udp dport 67 counter packets 0 bytes 0
        }
}

With virtio, captured packet :

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on nflog:30, link-type NFLOG (Linux netfilter log messages), snapshot
length 262144 bytes
10:02:24.310780 version 0, resource ID 30, family Unknown (5), length 348:
        0x0000:  ffff ffff ffff e628 5968 daab 0800 4500  .......(Yh....E.
        0x0010:  0148 e505 0000 4011 94a0 0000 0000 ffff  .H.... at .........
        0x0020:  ffff 0044 0043 0134 86f5 0101 0600 f97b  ...D.C.4.......{
        0x0030:  4c02 0000 0000 0000 0000 0000 0000 0000  L...............
        0x0040:  0000 0000 0000 e628 5968 daab 0000 0000  .......(Yh......
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0110:  0000 0000 0000 6382 5363 3501 0137 0e01  ......c.Sc5..7..
        0x0120:  7903 060c 0f1a 1c21 3336 3a3b 7739 0205  y......!36:;w9..
        0x0130:  c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b  .=.....d...[-.n.
        0x0140:  42ba 8108 c849 f941 dfcb 5000 9101 01ff  B....I.A..P.....
        0x0150:  0000 0000 0000 0000                      ........

nft monitor :

trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100"
@nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev filter egress verdict continue
trace id 195bb0a6 netdev filter egress policy accept


With E1000, captured packet :

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on nflog:31, link-type NFLOG (Linux netfilter log messages), snapshot
length 262144 bytes
10:06:28.977551 version 0, resource ID 31, family Unknown (5), length 348:
        0x0000:  ffff ffff ffff 4e08 9cea 5529 0800 4500  ......N...U)..E.
        0x0010:  0148 2898 0000 4011 510e 0000 0000 ffff  .H(... at .Q.......
        0x0020:  ffff 0044 0043 0134 0b0d 0101 0600 ff02  ...D.C.4........
        0x0030:  9c84 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 4e08 9cea 5529 0000 0000  ......N...U)....
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0110:  0000 0000 0000 6382 5363 3501 0137 0e01  ......c.Sc5..7..
        0x0120:  7903 060c 0f1a 1c21 3336 3a3b 7739 0205  y......!36:;w9..
        0x0130:  c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b  .=.....d...[-.n.
        0x0140:  42ba 8108 c849 f941 dfcb 5000 9101 01ff  B....I.A..P.....
        0x0150:  0000 0000 0000 0000                      ........

nft monitor :

trace id 2e00e339 netdev filter egress2 packet: oif "enp6s20.100"
@nh,0,48
0x450001482898 @th,0,160 0x4011510e00000000ffffffff004400430134
trace id 2e00e339 netdev filter egress2 rule meta nftrace set 1 (verdict
continue)
trace id 2e00e339 netdev filter egress2 rule log group 31 (verdict continue)
trace id 2e00e339 netdev filter egress2 rule udp sport 68 udp dport 67 counter
packets 0 bytes 0 (verdict continue)
trace id 2e00e339 netdev filter egress2 verdict continue
trace id 2e00e339 netdev filter egress2 policy accept


If think the problem is related to incorrect @nh base, with virtio : oif
"enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000,
with E1000 @nh,0,48 0x450001482898 @th,0,160
0x4011510e00000000ffffffff004400430134

PS : I tried with dhcpcd and dhclient, I have the same issue.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230414/9f69a292/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

Simon G. Trajkovski <neur0armitage at proton.me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neur0armitage at proton.me

--- Comment #1 from Simon G. Trajkovski <neur0armitage at proton.me> ---
sorry for my english too

you say virtio device, is it virtio device in guest or host the ruleset? what
type of networking configuration between host and guest?    I can not reproduce

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230424/c1e3013f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

--- Comment #2 from Simon G. Trajkovski <neur0armitage at proton.me> ---
virtio very broken in 6.2 and Arch?

[  324.572043] ------------[ cut here ]------------
[  324.572063] NETDEV WATCHDOG: eth0 (virtio_net): transmit queue 0 timed out
[  324.572093] WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:525
dev_watchdog+0x20b/0x220
[  324.572105] Modules linked in: ppdev joydev mousedev psmouse parport_pc
i2c_piix4 pcspkr parport mac_hid cfg80211 rfkill loop fuse dm_mod bpf_preload
qemu_fw_cfg ip_tables x_tables btrfs blake2b_generic xor raid6_pq libcrc32c
crc32c_generic sr_mod virtio_net cdrom net_failover bochs ata_generic serio_raw
pata_acpi atkbd failover drm_vram_helper libps2 vivaldi_fmap virtio_pci
drm_ttm_helper intel_agp virtio_pci_legacy_dev intel_gtt ata_piix
virtio_pci_modern_dev ttm i8042 floppy serio
[  324.572285] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.2.11-arch1-1 #1
244f0da55016c37c5dbf2d77817b860f27430e94
[  324.572290] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.14.0-2 04/01/2014
[  324.572294] RIP: 0010:dev_watchdog+0x20b/0x220
[  324.572299] Code: ff e9 40 ff ff ff 48 89 df c6 05 73 3a 46 01 01 e8 ca ce
f8 ff 44 89 e9 48 89 de 48 c7 c7 e8 c0 2a 9d 48 89 c2 e8 15 21 55 ff <0f>
0b e9
22 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90
[  324.572303] RSP: 0018:ffffa4b580003e88 EFLAGS: 00010286
[  324.572309] RAX: 0000000000000000 RBX: ffff89f4c334f000 RCX:
000000000000083f
[  324.572312] RDX: 0000000000000000 RSI: 00000000000000f6 RDI:
000000000000083f
[  324.572316] RBP: ffff89f4c334f4c8 R08: 0000000000000000 R09:
ffffa4b580003d18
[  324.572319] R10: 0000000000000003 R11: ffffffff9dac9a68 R12:
ffff89f4c334f41c
[  324.572322] R13: 0000000000000000 R14: ffffa4b580003f00 R15:
ffff89f4fec21f00
[  324.572325] FS:  0000000000000000(0000) GS:ffff89f4fec00000(0000)
knlGS:0000000000000000
[  324.572329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  324.572332] CR2: 00007f9677af05b8 CR3: 0000000001bc4000 CR4:
00000000000006f0
[  324.572337] Call Trace:
[  324.572342]  <IRQ>
[  324.572347]  ? __pfx_dev_watchdog+0x10/0x10
[  324.572355]  call_timer_fn+0x27/0x130
[  324.572362]  ? __pfx_dev_watchdog+0x10/0x10
[  324.572366]  __run_timers+0x222/0x2c0
[  324.572372]  run_timer_softirq+0x1d/0x40
[  324.572377]  __do_softirq+0xd4/0x2c8
[  324.572383]  ? sched_clock_cpu+0xd/0xb0
[  324.572388]  __irq_exit_rcu+0xb7/0xe0
[  324.572393]  sysvec_apic_timer_interrupt+0x72/0x90
[  324.572399]  </IRQ>
[  324.572402]  <TASK>
[  324.572404]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  324.572412] RIP: 0010:native_safe_halt+0xf/0x20
[  324.572418] Code: 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d d3 e2 2c 00 fb f4 <c3>
cc cc
cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[  324.572422] RSP: 0018:ffffffff9da03e88 EFLAGS: 00000206
[  324.572427] RAX: ffffffff9c950730 RBX: ffffffff9da1aa00 RCX:
0000000000000838
[  324.572430] RDX: 4000000000000000 RSI: 0000000000000083 RDI:
0000000000020204
[  324.572433] RBP: 0000000000000000 R08: 00000058f1eb822e R09:
0000000000000000
[  324.572436] R10: 0000000000000001 R11: 0000000000000000 R12:
0000000000000000
[  324.572322] R13: 0000000000000000 R14: ffffa4b580003f00 R15:
ffff89f4fec21f00
[  324.572325] FS:  0000000000000000(0000) GS:ffff89f4fec00000(0000)
knlGS:0000000000000000
[  324.572329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  324.572332] CR2: 00007f9677af05b8 CR3: 0000000001bc4000 CR4:
00000000000006f0
[  324.572337] Call Trace:
[  324.572342]  <IRQ>
[  324.572347]  ? __pfx_dev_watchdog+0x10/0x10
[  324.572355]  call_timer_fn+0x27/0x130
[  324.572362]  ? __pfx_dev_watchdog+0x10/0x10
[  324.572366]  __run_timers+0x222/0x2c0
[  324.572372]  run_timer_softirq+0x1d/0x40
[  324.572377]  __do_softirq+0xd4/0x2c8
[  324.572383]  ? sched_clock_cpu+0xd/0xb0
[  324.572388]  __irq_exit_rcu+0xb7/0xe0
[  324.572393]  sysvec_apic_timer_interrupt+0x72/0x90
[  324.572399]  </IRQ>
[  324.572402]  <TASK>
[  324.572404]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[  324.572412] RIP: 0010:native_safe_halt+0xf/0x20
[  324.572418] Code: 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d d3 e2 2c 00 fb f4 <c3>
cc cc
cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[  324.572422] RSP: 0018:ffffffff9da03e88 EFLAGS: 00000206
[  324.572427] RAX: ffffffff9c950730 RBX: ffffffff9da1aa00 RCX:
0000000000000838
[  324.572430] RDX: 4000000000000000 RSI: 0000000000000083 RDI:
0000000000020204
[  324.572433] RBP: 0000000000000000 R08: 00000058f1eb822e R09:
0000000000000000
[  324.572436] R10: 0000000000000001 R11: 0000000000000000 R12:
0000000000000000
[  324.572439] R13: 0000000000000000 R14: ffffffff9da1a118 R15:
0000000000000000
[  324.572443]  ? __pfx_default_idle+0x10/0x10
[  324.572450]  default_idle+0xe/0x20
[  324.572455]  default_idle_call+0x3c/0x100
[  324.572459]  do_idle+0x206/0x270
[  324.572464]  cpu_startup_entry+0x1d/0x20
[  324.572469]  rest_init+0xc8/0xd0
[  324.572475]  arch_call_rest_init+0xe/0x30
[  324.572482]  start_kernel+0x734/0xb30
[  324.572488]  secondary_startup_64_no_verify+0xe5/0xeb
[  324.572496]  </TASK>
[  324.572499] ---[ end trace 0000000000000000 ]---
[  324.572511] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 7360000 usecs ago
[  329.478741] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 12266666 usecs ago
[  334.598753] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 17386666 usecs ago
[  339.505365] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 22293333 usecs ago
[  344.412044] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 27200000 usecs ago
[  349.532045] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 32320000 usecs ago
[  354.438698] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 37226666 usecs ago
[  359.558703] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 42346666 usecs ago
[  364.465371] virtio_net virtio0 eth0: TX timeout on queue: 0, sq: output.0,
vq: 0x1, name: output.0, 47253333 usecs ago

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230424/6c97d829/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

--- Comment #3 from r.gabet at biche.org ---
(In reply to Simon G. Trajkovski from comment #1)
> sorry for my english too
> 
> you say virtio device, is it virtio device in guest or host the ruleset?
> what type of networking configuration between host and guest?    I can not
> reproduce
The virtio device is on guest (Linux test 6.2.10-arch1-1 #1 SMP PREEMPT_DYNAMIC
Fri, 07 Apr 2023 02:10:43 +0000 x86_64 GNU/Linux), the nftables ruleset is on
guest too.

The host is proxmox 7.4 (Linux proxmox 6.2.9-1-pve #1 SMP PREEMPT_DYNAMIC PVE
6.2.9-1 (2023-03-31T10:48Z) x86_64).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230425/bfd8f44f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
*** Bug 1672 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/43abc5ec/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1673

--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I fail to reproduce this with QEMU virtio and running Debian cloud image with
6.1 kernel.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/838dc614/attachment.html>