diff mbox series

[net,2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

Message ID 20241021094536.81487-3-pablo@netfilter.org (mailing list archive)
State Accepted
Commit 306ed1728e8438caed30332e1ab46b28c25fe3d8
Delegated to: Netdev Maintainers
Headers show
Series [net,1/2] netfilter: bpf: must hold reference on net namespace | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 5 this patch: 5
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 3 maintainers not CCed: kadlec@netfilter.org coreteam@netfilter.org horms@kernel.org
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 23 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Pablo Neira Ayuso Oct. 21, 2024, 9:45 a.m. UTC 
- There is no NFPROTO_IPV6 family for mark and NFLOG.
- TRACE is also missing module autoload with NFPROTO_IPV6.

This results in ip6tables failing to restore a ruleset. This issue has been
reported by several users providing incomplete patches.

Very similar to Ilya Katsnelson's patch including a missing chunk in the
TRACE extension.

Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
Reported-by: Ignat Korchagin <ignat@cloudflare.com>
Reported-by: Ilya Katsnelson <me@0upti.me>
Reported-by: Krzysztof Olędzki <ole@ans.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_NFLOG.c | 2 +-
 net/netfilter/xt_TRACE.c | 1 +
 net/netfilter/xt_mark.c  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

Comments

Thorsten Leemhuis Oct. 22, 2024, 7:39 a.m. UTC | #1 
[CCing Greg and the stable list, to ensure he is aware of this, as well
as the regressions list]

On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> - There is no NFPROTO_IPV6 family for mark and NFLOG.
> - TRACE is also missing module autoload with NFPROTO_IPV6.
> 
> This results in ip6tables failing to restore a ruleset. This issue has been
> reported by several users providing incomplete patches.
> 
> Very similar to Ilya Katsnelson's patch including a missing chunk in the
> TRACE extension.
> 
> Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> [...]

Just FYI as the culprit recently hit various stable series (v6.11.4,
v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
issues that might be fixed by this to my untrained eyes. I suppose they
won't tell you anything new and maybe you even have seen them, but on
the off-chance that this might not be the case you can find them here:

https://bugzilla.kernel.org/show_bug.cgi?id=219397
https://bugzilla.kernel.org/show_bug.cgi?id=219402
https://bugzilla.kernel.org/show_bug.cgi?id=219409

Ciao, Thorsten
Greg Kroah-Hartman Oct. 22, 2024, 7:44 a.m. UTC | #2 
On Tue, Oct 22, 2024 at 09:39:38AM +0200, Linux regression tracking (Thorsten Leemhuis) wrote:
> [CCing Greg and the stable list, to ensure he is aware of this, as well
> as the regressions list]
> 
> On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> > - There is no NFPROTO_IPV6 family for mark and NFLOG.
> > - TRACE is also missing module autoload with NFPROTO_IPV6.
> > 
> > This results in ip6tables failing to restore a ruleset. This issue has been
> > reported by several users providing incomplete patches.
> > 
> > Very similar to Ilya Katsnelson's patch including a missing chunk in the
> > TRACE extension.
> > 
> > Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> > [...]
> 
> Just FYI as the culprit recently hit various stable series (v6.11.4,
> v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
> issues that might be fixed by this to my untrained eyes. I suppose they
> won't tell you anything new and maybe you even have seen them, but on
> the off-chance that this might not be the case you can find them here:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=219397
> https://bugzilla.kernel.org/show_bug.cgi?id=219402
> https://bugzilla.kernel.org/show_bug.cgi?id=219409

Is this commit in linux-next yet?  I looked yesterday but couldn't find
it anywhere...

thanks,

greg k-h
Pablo Neira Ayuso Oct. 22, 2024, 7:57 a.m. UTC | #3 
Hi Greg,

On Tue, Oct 22, 2024 at 09:44:19AM +0200, Greg KH wrote:
> On Tue, Oct 22, 2024 at 09:39:38AM +0200, Linux regression tracking (Thorsten Leemhuis) wrote:
> > [CCing Greg and the stable list, to ensure he is aware of this, as well
> > as the regressions list]
> > 
> > On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> > > - There is no NFPROTO_IPV6 family for mark and NFLOG.
> > > - TRACE is also missing module autoload with NFPROTO_IPV6.
> > > 
> > > This results in ip6tables failing to restore a ruleset. This issue has been
> > > reported by several users providing incomplete patches.
> > > 
> > > Very similar to Ilya Katsnelson's patch including a missing chunk in the
> > > TRACE extension.
> > > 
> > > Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> > > [...]
> > 
> > Just FYI as the culprit recently hit various stable series (v6.11.4,
> > v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
> > issues that might be fixed by this to my untrained eyes. I suppose they
> > won't tell you anything new and maybe you even have seen them, but on
> > the off-chance that this might not be the case you can find them here:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=219397
> > https://bugzilla.kernel.org/show_bug.cgi?id=219402
> > https://bugzilla.kernel.org/show_bug.cgi?id=219409
> 
> Is this commit in linux-next yet?  I looked yesterday but couldn't find
> it anywhere...

Not yet, there is a pending PR to reach netdev.git at this moment.
diff mbox series

Patch

diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index d80abd6ccaf8..6dcf4bc7e30b 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -79,7 +79,7 @@  static struct xt_target nflog_tg_reg[] __read_mostly = {
 	{
 		.name       = "NFLOG",
 		.revision   = 0,
-		.family     = NFPROTO_IPV4,
+		.family     = NFPROTO_IPV6,
 		.checkentry = nflog_tg_check,
 		.destroy    = nflog_tg_destroy,
 		.target     = nflog_tg,
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index f3fa4f11348c..a642ff09fc8e 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -49,6 +49,7 @@  static struct xt_target trace_tg_reg[] __read_mostly = {
 		.target		= trace_tg,
 		.checkentry	= trace_tg_check,
 		.destroy	= trace_tg_destroy,
+		.me		= THIS_MODULE,
 	},
 #endif
 };
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index f76fe04fc9a4..65b965ca40ea 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -62,7 +62,7 @@  static struct xt_target mark_tg_reg[] __read_mostly = {
 	{
 		.name           = "MARK",
 		.revision       = 2,
-		.family         = NFPROTO_IPV4,
+		.family         = NFPROTO_IPV6,
 		.target         = mark_tg,
 		.targetsize     = sizeof(struct xt_mark_tginfo2),
 		.me             = THIS_MODULE,