| Message ID | 20241018-xtables-typos-v1-1-02a51789c0ec@0upti.me (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | netfliter: xtables: fix typo causing some targets to not load on IPv6 | expand |
On Fri, Oct 18, 2024 at 06:45:00PM +0300, Ilya Katsnelson wrote: > These were added with the wrong family in 4cdc55e, which seems > to just have been a typo, but now ip6tables rules with --set-mark > don't work anymore, which is pretty bad. > > Fixes: 4cdc55ec6222 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") On my system, the commit is 0bfcb7b71e735560077a42847f69597ec7dcc326. Is that correct? > Signed-off-by: Ilya Katsnelson <me@0upti.me> Reviewed-by: Phil Sutter <phil@nwl.cc>
Hi Ilya, On 18/10/2024 17:45, Ilya Katsnelson wrote: > These were added with the wrong family in 4cdc55e, which seems > to just have been a typo, but now ip6tables rules with --set-mark > don't work anymore, which is pretty bad. Funny, with this patch, now the v4 version doesn't work any more, which is pretty bad as well ;-) More seriously, it looks like your patch broke MPTCP selftests: https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout Two tests are now failing, because they can no longer add a mark: > # iptables -t mangle -A OUTPUT -j MARK --set-mark 1 > Warning: Extension MARK revision 0 not supported, missing kernel module? > iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT Please see below: > diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c > index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644 > --- a/net/netfilter/xt_NFLOG.c > +++ b/net/netfilter/xt_NFLOG.c > @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { > { > .name = "NFLOG", > .revision = 0, > - .family = NFPROTO_IPV4, > + .family = NFPROTO_IPV6, Here, by setting the family to v6 instead of v4, we now have two targets that are exactly the same, both for v6: > 67 │ static struct xt_target nflog_tg_reg[] __read_mostly = { > 68 │ { > 69 │ .name = "NFLOG", > 70 │ .revision = 0, > 71 │ .family = NFPROTO_IPV6, /* <== The line you modified */ > 72 │ .checkentry = nflog_tg_check, > 73 │ .destroy = nflog_tg_destroy, > 74 │ .target = nflog_tg, > 75 │ .targetsize = sizeof(struct xt_nflog_info), > 76 │ .me = THIS_MODULE, > 77 │ }, > 78 │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) > 79 │ { > 80 │ .name = "NFLOG", > 81 │ .revision = 0, > 82 │ .family = NFPROTO_IPV6, /* <== v6 was already there */ > 83 │ .checkentry = nflog_tg_check, > 84 │ .destroy = nflog_tg_destroy, > 85 │ .target = nflog_tg, > 86 │ .targetsize = sizeof(struct xt_nflog_info), > 87 │ .me = THIS_MODULE, > 88 │ }, > 89 │ #endif > 90 │ }; Are you sure you didn't have the bug you mentioned because your kernel config doesn't have CONFIG_IP6_NF_IPTABLES? > .checkentry = nflog_tg_check, > .destroy = nflog_tg_destroy, > .target = nflog_tg, > diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c > index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644 > --- a/net/netfilter/xt_mark.c > +++ b/net/netfilter/xt_mark.c > @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { > { > .name = "MARK", > .revision = 2, > - .family = NFPROTO_IPV4, > + .family = NFPROTO_IPV6, Same here. So I think this patch is not needed, right? > .target = mark_tg, > .targetsize = sizeof(struct xt_mark_tginfo2), > .me = THIS_MODULE, > > --- > base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5 > change-id: 20241018-xtables-typos-dfeadb8b122d > > Best regards, Cheers, Matt
Hi Ilya, (+ add people/ML back in cc) On 23/10/2024 14:11, Ilya K wrote: >> Hi Ilya, >> >> On 18/10/2024 17:45, Ilya Katsnelson wrote: >>> These were added with the wrong family in 4cdc55e, which seems >>> to just have been a typo, but now ip6tables rules with --set-mark >>> don't work anymore, which is pretty bad. >> >> Funny, with this patch, now the v4 version doesn't work any more, which >> is pretty bad as well ;-) >> >> More seriously, it looks like your patch broke MPTCP selftests: >> >> >> https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout >> >> Two tests are now failing, because they can no longer add a mark: >> >>> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1 >>> Warning: Extension MARK revision 0 not supported, missing kernel module? >>> iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT >> >> Please see below: >> >>> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c >>> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644 >>> --- a/net/netfilter/xt_NFLOG.c >>> +++ b/net/netfilter/xt_NFLOG.c >>> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { >>> { >>> .name = "NFLOG", >>> .revision = 0, >>> - .family = NFPROTO_IPV4, >>> + .family = NFPROTO_IPV6, >> >> Here, by setting the family to v6 instead of v4, we now have two targets >> that are exactly the same, both for v6: >> >>> 67 │ static struct xt_target nflog_tg_reg[] __read_mostly = { >>> 68 │ { >>> 69 │ .name = "NFLOG", >>> 70 │ .revision = 0, >>> 71 │ .family = NFPROTO_IPV6, /* <== The line you modified */ >>> 72 │ .checkentry = nflog_tg_check, >>> 73 │ .destroy = nflog_tg_destroy, >>> 74 │ .target = nflog_tg, >>> 75 │ .targetsize = sizeof(struct xt_nflog_info), >>> 76 │ .me = THIS_MODULE, >>> 77 │ }, >>> 78 │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) >>> 79 │ { >>> 80 │ .name = "NFLOG", >>> 81 │ .revision = 0, >>> 82 │ .family = NFPROTO_IPV6, /* <== v6 was already there */ >>> 83 │ .checkentry = nflog_tg_check, >>> 84 │ .destroy = nflog_tg_destroy, >>> 85 │ .target = nflog_tg, >>> 86 │ .targetsize = sizeof(struct xt_nflog_info), >>> 87 │ .me = THIS_MODULE, >>> 88 │ }, >>> 89 │ #endif >>> 90 │ }; >> >> Are you sure you didn't have the bug you mentioned because your kernel >> config doesn't have CONFIG_IP6_NF_IPTABLES? >> >>> .checkentry = nflog_tg_check, >>> .destroy = nflog_tg_destroy, >>> .target = nflog_tg, >>> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c >>> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644 >>> --- a/net/netfilter/xt_mark.c >>> +++ b/net/netfilter/xt_mark.c >>> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { >>> { >>> .name = "MARK", >>> .revision = 2, >>> - .family = NFPROTO_IPV4, >>> + .family = NFPROTO_IPV6, >> >> Same here. >> >> So I think this patch is not needed, right? >> >>> .target = mark_tg, >>> .targetsize = sizeof(struct xt_mark_tginfo2), >>> .me = THIS_MODULE, >>> >>> --- >>> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5 >>> change-id: 20241018-xtables-typos-dfeadb8b122d >>> >>> Best regards, >> >> Cheers, >> Matt > > The patch never got merged, but Pablo's very similar patch did. Are you > by any chance applying my changes on top of a tree that also contains > his? Thank you for this reply! Oh, sorry, I see the issue now, just an unlucky situation: - On one hand, and probably because the issue was visible on stable too, Pablo sent a new version changing the author and the title ("not to load" vs "to not load") [1]. Because of that, the bot didn't mark the previous version as superseded. - On the other hand, the CI tried to apply all the pending patches, including this patch here: when git tried to apply this patch, it managed to find the exact same context a bit before, and then modified the wrong line [2]. The two combined resulted in the CI trying to validate a buggy patch not doing what it was intended to do. From what I understood, Paolo is changing the status of [1] and even [3] on Patchwork, and soon the CI will stop using the wrong patch. [1] https://patchwork.kernel.org/project/netdevbpf/patch/20241021094536.81487-3-pablo@netfilter.org/ [2] https://github.com/linux-netdev/testing/commit/096e5d7e7d38271b6353ecd197e8ec00a01dbfd3 [3] https://patchwork.kernel.org/project/netdevbpf/patch/20241018162517.39154-1-ignat@cloudflare.com/ Cheers, Matt
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { { .name = "NFLOG", .revision = 0, - .family = NFPROTO_IPV4, + .family = NFPROTO_IPV6, .checkentry = nflog_tg_check, .destroy = nflog_tg_destroy, .target = nflog_tg, diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644 --- a/net/netfilter/xt_mark.c +++ b/net/netfilter/xt_mark.c @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { { .name = "MARK", .revision = 2, - .family = NFPROTO_IPV4, + .family = NFPROTO_IPV6, .target = mark_tg, .targetsize = sizeof(struct xt_mark_tginfo2), .me = THIS_MODULE,
These were added with the wrong family in 4cdc55e, which seems to just have been a typo, but now ip6tables rules with --set-mark don't work anymore, which is pretty bad. Fixes: 4cdc55ec6222 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") Signed-off-by: Ilya Katsnelson <me@0upti.me> --- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_mark.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5 change-id: 20241018-xtables-typos-dfeadb8b122d Best regards,