Bug#994273: More info

2021-10-07 Thread Harry STARR 
> The bug that I believe is responsible is in this if-block:
>
>  https://git.netfilter.org/nftables/tree/src/rule.c#n372
>
>When listing a set, nft will set the `stateless` flag in order to
>suppress the state of any counters it defines.  However, it doesn't keep
>track of whether the flag was already set and clears it unconditionally
>afterwards.  It has not yet been fixed upstream.
>
>The buggy commit was released in 0.9.4, which is why you saw it after
>upgrading from buster (0.9.0-2) to bullseye (0.9.8-3.1).

Excellent work, J.

>Here's the fix I've sent upstream:
>
>  
> https://lore.kernel.org/netfilter-devel/20211007201222.2613750-3-jer...@azazel.net/T/#u
>
>I'm not that familiar with Arch or Gentoo, but from what I can see
>looking through their package repo's and bug-trackers, they don't seem
>to be carrying patches for this.

Looking forward to seeing this in a bullseye update...

Bug#994273: More info

2021-10-07 Thread Harry STARR 
> I'll send a patch upstream.
>
> J.

I have noticed that on Gentoo and Arch this seems to be resolved.
They are using a version > 1.0.x

Maybe already fixed upstream...

H.

Bug#994273: Follow-up example

2021-10-06 Thread Harry STARR 
Here is my-nftables (used to instantiate the ruleset):
nft -f my-nftables

>>> my-nftables
flush ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
timeout 31m
counter
elements = { 192.168.0.101, 192.168.0.102,
 192.168.0.172 }
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4, 5.6.7.0/24 }
}

set dns_black {
type ipv4_addr
size 65535
timeout 1d
counter
elements = { 192.168.0.100 }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter drop
ct state invalid counter drop
ct state established,related counter accept
iifname "lo" counter accept
ip saddr @black counter drop
ip saddr 192.168.0.0/16 counter accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter accept
udp dport 53 ip saddr @dns_black counter drop
tcp dport 53 ip saddr @dns_black counter drop
udp dport 53 counter accept
tcp dport 53 counter accept
fib daddr type multicast counter drop
add @bad_guys { ip saddr } log level debug counter drop
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}

<<<

Here is the nft list ruleset output:
>>>
root@y6:~ # nft list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 
counter packets 0 bytes 0 }
}

set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 
22h59m40s260ms }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 298 bytes 23763 
accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 
bytes 2696 accept
udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
udp dport 53 counter packets 0 bytes 0 accept
tcp dport 53 counter packets 0 bytes 0 accept
fib daddr type multicast counter packets 0 bytes 0 drop
add @bad_guys { ip saddr } log level debug counter packets 0 
bytes 0 drop
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
<<<

And here is the nft -s list ruleset
>>>
root@y6:~ # nft -s list ruleset
table ip filter {
set bad_guys {
type ipv4_addr
size 65535
counter
timeout 31m
}

set black {
type ipv4_addr
size 65535
flags interval
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 
counter packets 0 bytes 0 }
}

set dns_black {
type ipv4_addr
size 65535
counter
timeout 1d
elements = { 192.168.0.100 counter packets 0 bytes 0 expires 
22h58m48s84ms }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr @bad_guys counter packets 0 bytes 0 drop
ct state invalid counter packets 22 bytes 3204 drop
ct state established,related counter packets 351 bytes 28667 
accept
iifname "lo" counter packets 0 bytes 0 accept
ip saddr @black counter packets 0 bytes 0 drop
ip saddr 192.168.0.0/16

Bug#994273: nftables: nft -s does NOT suppress stateful output

2021-09-14 Thread Harry STARR 
Package: nftables
Version: 0.9.8-3.1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Upgrade to bullseye
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
nft -s list ruleset
   * What was the outcome of this action?
Same output as
nft list ruleset
   * What outcome did you expect instead?
e.g. on counters clause, suppression of packets, bytes content

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg  1.20.9
ii  libc6 2.31-13
ii  libedit2  3.1-20191231-2+b1
ii  libnftables1  0.9.8-3.1

nftables recommends no packages.

Versions of packages nftables suggests:
pn  firewalld  

-- no debconf information