Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Hi,
On Mon, Sep 11, 2023 at 10:52:12PM +0200, Salvatore Bonaccorso wrote:
> Hi Timo,
>
> On Mon, Sep 11, 2023 at 10:31:56PM +0200, Timo Sigurdsson wrote:
> > Hi Salvatore,
> >
> > Salvatore Bonaccorso schrieb am 11.09.2023 22:20 (GMT +02:00):
> >
> > > Bisected the issue:
> > >
> > > $ git bisect log
> > > git bisect start
> > > # status: waiting for both good and bad commits
> > > # good: [61fd484b2cf6bc8022e8e5ea6f693a9991740ac2] Linux 6.1.38
> > > git bisect good 61fd484b2cf6bc8022e8e5ea6f693a9991740ac2
> > > # status: waiting for bad commit, 1 good commit known
> > > # bad: [1321ab403b38366a4cfb283145bb2c005becb1e5] Linux 6.1.45
> > > git bisect bad 1321ab403b38366a4cfb283145bb2c005becb1e5
> > > # good: [95d49f79e94d4fa8105c880a266789609f3e791a] ext4: only update
> > > i_reserved_data_blocks on successful block allocation
> > > git bisect good 95d49f79e94d4fa8105c880a266789609f3e791a
> > > # good: [f8b61a2c29fc70f64daad698cf09c1f79a0e39f9] drm/amd/display: Set
> > > minimum
> > > requirement for using PSR-SU on Rembrandt
> > > git bisect good f8b61a2c29fc70f64daad698cf09c1f79a0e39f9
> > > # bad: [bd2decac7345134ea0bd3f4b978478ef53367cd8] mptcp: ensure subflow is
> > > unhashed before cleaning the backlog
> > > git bisect bad bd2decac7345134ea0bd3f4b978478ef53367cd8
> > > # bad: [fe3409cd013cfd10d3e6787b49f33a5dda39cffd] RDMA/irdma: Fix op_type
> > > reporting in CQEs
> > > git bisect bad fe3409cd013cfd10d3e6787b49f33a5dda39cffd
> > > # good: [85c38ac62c1372cc1ab05426315aad61025d33ef] atheros: fix return
> > > value
> > > check in atl1_tso()
> > > git bisect good 85c38ac62c1372cc1ab05426315aad61025d33ef
> > > # bad: [539cf23cb48835c69cc3d22edff28b92bd82bb18] tipc: stop tipc crypto
> > > on
> > > failure in tipc_node_create
> > > git bisect bad 539cf23cb48835c69cc3d22edff28b92bd82bb18
> > > # good: [1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1] x86/traps: Fix
> > > load_unaligned_zeropad() handling for shared TDX memory
> > > git bisect good 1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1
> > > # bad: [7218974aba07ff60c646d5a512b02b871402b03e] mm: suppress mm fault
> > > logging
> > > if fatal signal already pending
> > > git bisect bad 7218974aba07ff60c646d5a512b02b871402b03e
> > > # good: [89a4d1a89751a0fbd520e64091873e19cc0979e8] netfilter:
> > > nft_set_rbtree:
> > > fix overlap expiration walk
> > > git bisect good 89a4d1a89751a0fbd520e64091873e19cc0979e8
> > > # bad: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter: nf_tables:
> > > disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> > > git bisect bad 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > > # good: [4237462a073e24f71c700f3e5929f07b6ee1bcaa] netfilter: nf_tables:
> > > skip
> > > immediate deactivate in _PREPARE_ERROR
> > > git bisect good 4237462a073e24f71c700f3e5929f07b6ee1bcaa
> > > # first bad commit: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter:
> > > nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> > >
> > > $ git bisect visualize
> > > commit 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > > Author: Pablo Neira Ayuso
> > > Date: Sun Jul 23 16:41:48 2023 +0200
> > >
> > > netfilter: nf_tables: disallow rule addition to bound chain via
> > > NFTA_RULE_CHAIN_ID
> > >
> > > [ Upstream commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211 ]
> > >
> > > Bail out with EOPNOTSUPP when adding rule to bound chain via
> > > NFTA_RULE_CHAIN_ID. The following warning splat is shown when
> > > adding a rule to a deleted bound chain:
> > >
> > > WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013
> > > nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> > > CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
> > > RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> > >
> > > Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
> > > Reported-by: Kevin Rich
> > > Signed-off-by: Pablo Neira Ayuso
> > > Signed-off-by: Florian Westphal
> > > Signed-off-by: Sasha Levin
> >
> > Hehe, yes, I was just about to write you the same. My test build
> > with this one reverted lets me load the ruleset again.
> >
> > Would you like to take this upstream? I was just about to file a
> > report in netfilter's bugzilla, but since you also worked on it as
> > well, I don't mean to interfere...
> >
> > I'll try to further reduce my test ruleset to see what actually
> > triggers this.
>
> I'm fine if you report it upstream, as you have the best position for
> making further tests further stripped down rulesets. But instread of
> bugzilla I think it's best to directly mail Pablo Neira Ayuso
> , the people in the Signed-off-by, additionally
> the stable list (sta...@vger.kernel.org) and the regressions
> mailinglist (regressi...@lists.linux.dev, cf.
> https://www.kernel.org/doc/html/latest/process/handling-regressions.html).
get_maintainers.pl additionally gives:
$ ./scripts/get_maintainer.pl
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Hi Timo,
On Mon, Sep 11, 2023 at 10:31:56PM +0200, Timo Sigurdsson wrote:
> Hi Salvatore,
>
> Salvatore Bonaccorso schrieb am 11.09.2023 22:20 (GMT +02:00):
>
> > Bisected the issue:
> >
> > $ git bisect log
> > git bisect start
> > # status: waiting for both good and bad commits
> > # good: [61fd484b2cf6bc8022e8e5ea6f693a9991740ac2] Linux 6.1.38
> > git bisect good 61fd484b2cf6bc8022e8e5ea6f693a9991740ac2
> > # status: waiting for bad commit, 1 good commit known
> > # bad: [1321ab403b38366a4cfb283145bb2c005becb1e5] Linux 6.1.45
> > git bisect bad 1321ab403b38366a4cfb283145bb2c005becb1e5
> > # good: [95d49f79e94d4fa8105c880a266789609f3e791a] ext4: only update
> > i_reserved_data_blocks on successful block allocation
> > git bisect good 95d49f79e94d4fa8105c880a266789609f3e791a
> > # good: [f8b61a2c29fc70f64daad698cf09c1f79a0e39f9] drm/amd/display: Set
> > minimum
> > requirement for using PSR-SU on Rembrandt
> > git bisect good f8b61a2c29fc70f64daad698cf09c1f79a0e39f9
> > # bad: [bd2decac7345134ea0bd3f4b978478ef53367cd8] mptcp: ensure subflow is
> > unhashed before cleaning the backlog
> > git bisect bad bd2decac7345134ea0bd3f4b978478ef53367cd8
> > # bad: [fe3409cd013cfd10d3e6787b49f33a5dda39cffd] RDMA/irdma: Fix op_type
> > reporting in CQEs
> > git bisect bad fe3409cd013cfd10d3e6787b49f33a5dda39cffd
> > # good: [85c38ac62c1372cc1ab05426315aad61025d33ef] atheros: fix return value
> > check in atl1_tso()
> > git bisect good 85c38ac62c1372cc1ab05426315aad61025d33ef
> > # bad: [539cf23cb48835c69cc3d22edff28b92bd82bb18] tipc: stop tipc crypto on
> > failure in tipc_node_create
> > git bisect bad 539cf23cb48835c69cc3d22edff28b92bd82bb18
> > # good: [1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1] x86/traps: Fix
> > load_unaligned_zeropad() handling for shared TDX memory
> > git bisect good 1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1
> > # bad: [7218974aba07ff60c646d5a512b02b871402b03e] mm: suppress mm fault
> > logging
> > if fatal signal already pending
> > git bisect bad 7218974aba07ff60c646d5a512b02b871402b03e
> > # good: [89a4d1a89751a0fbd520e64091873e19cc0979e8] netfilter:
> > nft_set_rbtree:
> > fix overlap expiration walk
> > git bisect good 89a4d1a89751a0fbd520e64091873e19cc0979e8
> > # bad: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter: nf_tables:
> > disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> > git bisect bad 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > # good: [4237462a073e24f71c700f3e5929f07b6ee1bcaa] netfilter: nf_tables:
> > skip
> > immediate deactivate in _PREPARE_ERROR
> > git bisect good 4237462a073e24f71c700f3e5929f07b6ee1bcaa
> > # first bad commit: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter:
> > nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> >
> > $ git bisect visualize
> > commit 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> > Author: Pablo Neira Ayuso
> > Date: Sun Jul 23 16:41:48 2023 +0200
> >
> > netfilter: nf_tables: disallow rule addition to bound chain via
> > NFTA_RULE_CHAIN_ID
> >
> > [ Upstream commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211 ]
> >
> > Bail out with EOPNOTSUPP when adding rule to bound chain via
> > NFTA_RULE_CHAIN_ID. The following warning splat is shown when
> > adding a rule to a deleted bound chain:
> >
> > WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013
> > nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> > CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
> > RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> >
> > Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
> > Reported-by: Kevin Rich
> > Signed-off-by: Pablo Neira Ayuso
> > Signed-off-by: Florian Westphal
> > Signed-off-by: Sasha Levin
>
> Hehe, yes, I was just about to write you the same. My test build
> with this one reverted lets me load the ruleset again.
>
> Would you like to take this upstream? I was just about to file a
> report in netfilter's bugzilla, but since you also worked on it as
> well, I don't mean to interfere...
>
> I'll try to further reduce my test ruleset to see what actually
> triggers this.
I'm fine if you report it upstream, as you have the best position for
making further tests further stripped down rulesets. But instread of
bugzilla I think it's best to directly mail Pablo Neira Ayuso
, the people in the Signed-off-by, additionally
the stable list (sta...@vger.kernel.org) and the regressions
mailinglist (regressi...@lists.linux.dev, cf.
https://www.kernel.org/doc/html/latest/process/handling-regressions.html).
It should be noted:
0ebc1064e487 ("netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID") in 6.5-rc4 was backported to several
stable series, namely in 5.10.190, 5.15.124, 6.1.43, 6.4.8.
While I can reproduce the issue in 5.10.191-1 and 6.1.52-1, I cannot
in 6.4.13-1 or 6.5.2-1 (not yet released in Debian).
Possibly for the
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Hi Salvatore,
Salvatore Bonaccorso schrieb am 11.09.2023 22:20 (GMT +02:00):
> Bisected the issue:
>
> $ git bisect log
> git bisect start
> # status: waiting for both good and bad commits
> # good: [61fd484b2cf6bc8022e8e5ea6f693a9991740ac2] Linux 6.1.38
> git bisect good 61fd484b2cf6bc8022e8e5ea6f693a9991740ac2
> # status: waiting for bad commit, 1 good commit known
> # bad: [1321ab403b38366a4cfb283145bb2c005becb1e5] Linux 6.1.45
> git bisect bad 1321ab403b38366a4cfb283145bb2c005becb1e5
> # good: [95d49f79e94d4fa8105c880a266789609f3e791a] ext4: only update
> i_reserved_data_blocks on successful block allocation
> git bisect good 95d49f79e94d4fa8105c880a266789609f3e791a
> # good: [f8b61a2c29fc70f64daad698cf09c1f79a0e39f9] drm/amd/display: Set
> minimum
> requirement for using PSR-SU on Rembrandt
> git bisect good f8b61a2c29fc70f64daad698cf09c1f79a0e39f9
> # bad: [bd2decac7345134ea0bd3f4b978478ef53367cd8] mptcp: ensure subflow is
> unhashed before cleaning the backlog
> git bisect bad bd2decac7345134ea0bd3f4b978478ef53367cd8
> # bad: [fe3409cd013cfd10d3e6787b49f33a5dda39cffd] RDMA/irdma: Fix op_type
> reporting in CQEs
> git bisect bad fe3409cd013cfd10d3e6787b49f33a5dda39cffd
> # good: [85c38ac62c1372cc1ab05426315aad61025d33ef] atheros: fix return value
> check in atl1_tso()
> git bisect good 85c38ac62c1372cc1ab05426315aad61025d33ef
> # bad: [539cf23cb48835c69cc3d22edff28b92bd82bb18] tipc: stop tipc crypto on
> failure in tipc_node_create
> git bisect bad 539cf23cb48835c69cc3d22edff28b92bd82bb18
> # good: [1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1] x86/traps: Fix
> load_unaligned_zeropad() handling for shared TDX memory
> git bisect good 1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1
> # bad: [7218974aba07ff60c646d5a512b02b871402b03e] mm: suppress mm fault
> logging
> if fatal signal already pending
> git bisect bad 7218974aba07ff60c646d5a512b02b871402b03e
> # good: [89a4d1a89751a0fbd520e64091873e19cc0979e8] netfilter: nft_set_rbtree:
> fix overlap expiration walk
> git bisect good 89a4d1a89751a0fbd520e64091873e19cc0979e8
> # bad: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter: nf_tables:
> disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
> git bisect bad 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> # good: [4237462a073e24f71c700f3e5929f07b6ee1bcaa] netfilter: nf_tables: skip
> immediate deactivate in _PREPARE_ERROR
> git bisect good 4237462a073e24f71c700f3e5929f07b6ee1bcaa
> # first bad commit: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter:
> nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
>
> $ git bisect visualize
> commit 268cb07ef3ee17b5454a7c4b23376802c5b00c79
> Author: Pablo Neira Ayuso
> Date: Sun Jul 23 16:41:48 2023 +0200
>
> netfilter: nf_tables: disallow rule addition to bound chain via
> NFTA_RULE_CHAIN_ID
>
> [ Upstream commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211 ]
>
> Bail out with EOPNOTSUPP when adding rule to bound chain via
> NFTA_RULE_CHAIN_ID. The following warning splat is shown when
> adding a rule to a deleted bound chain:
>
> WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013
> nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
> CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
> RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
>
> Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
> Reported-by: Kevin Rich
> Signed-off-by: Pablo Neira Ayuso
> Signed-off-by: Florian Westphal
> Signed-off-by: Sasha Levin
Hehe, yes, I was just about to write you the same. My test build with this one
reverted lets me load the ruleset again.
Would you like to take this upstream? I was just about to file a report in
netfilter's bugzilla, but since you also worked on it as well, I don't mean to
interfere...
I'll try to further reduce my test ruleset to see what actually triggers this.
Thanks and regards,
Timo
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Hi, On Mon, Sep 11, 2023 at 04:28:34PM +0200, Salvatore Bonaccorso wrote: > Control: found -1 5.10.191-1 > > On Mon, Sep 11, 2023 at 04:17:46PM +0200, Salvatore Bonaccorso wrote: > > Control: tags -1 + confirmed upstream > > > > Hi, > > > > On Mon, Sep 11, 2023 at 04:08:07PM +0200, Salvatore Bonaccorso wrote: > > > Control: tags -1 - moreinfo unreproducible > > > > > > Hi Timo, > > > > > > On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote: > > > > Hi, > > > > > > > > Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00): > > > > > > > > > Would it be possible to provide a minimal set of rules triggering the > > > > > issue? Can you reproduce the issue with the official build? > > > > > > > > So, I did some more testing on a different machine running the official > > > > build. My findings so far are: > > > > 1) Yes, I can reproduce the issue with the official build. > > > > 2) The issue depends on the ruleset. The minimal ruleset I have on that > > > > machine, doesn't trigger the issue, but when I copy over the ruleset > > > > from the machine I first observed this on, then I can reproduce it. > > > > > > > > I'm attaching a somewhat stripped down version of my original, rather > > > > complex ruleset. It's by no means a "minimal" reproducer, cause I > > > > haven't had the time yet to further reduce it in order to see what > > > > actually triggers it. But you should be able to observe that this > > > > ruleset loads just fine on linux 6.1.38-4, but doesn't anymore on > > > > 6.1.52-1. > > > > > > Thanks for providing it, this helps debugging the issue. > > > > > > > I also started looking into what commit could have introduced this. My > > > > first guess "netfilter: nft_dynset: disallow object maps" > > > > (23185c6aed1f) is wrong. Even with this one reverted, the issue occurs. > > > > I'll try another build with "netfilter: nf_tables: disallow rule > > > > addition to bound chain via NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted > > > > tomorrow evening... > > > > > > Thanks, as soon we have the introducing commit we can go to the next > > > step and check upstream. I cannot trigger the problem with 6.4.13-1 or > > > 6.5.2. > > > > The issue seems to be present already in 6.1.49-rc1, which I had still > > from local pareparations for the rebases. So the bisection needs to go > > to the upstream versions between 6.1.38 and 6.1.49 at least. > > Additionally the behaviour change is as well in 5.10.191-1 (and > 5.10.193 upstream), whereeas not triggering in 5.10.179. > > So to be on the safe side making the following statement: either this > is a real regression affecting several stable series or there is an > intentional upstream change uncovering an issue in ruleset. As the > behaviour is not in 6.5.2 for now considering it the first case. Bisected the issue: $ git bisect log git bisect start # status: waiting for both good and bad commits # good: [61fd484b2cf6bc8022e8e5ea6f693a9991740ac2] Linux 6.1.38 git bisect good 61fd484b2cf6bc8022e8e5ea6f693a9991740ac2 # status: waiting for bad commit, 1 good commit known # bad: [1321ab403b38366a4cfb283145bb2c005becb1e5] Linux 6.1.45 git bisect bad 1321ab403b38366a4cfb283145bb2c005becb1e5 # good: [95d49f79e94d4fa8105c880a266789609f3e791a] ext4: only update i_reserved_data_blocks on successful block allocation git bisect good 95d49f79e94d4fa8105c880a266789609f3e791a # good: [f8b61a2c29fc70f64daad698cf09c1f79a0e39f9] drm/amd/display: Set minimum requirement for using PSR-SU on Rembrandt git bisect good f8b61a2c29fc70f64daad698cf09c1f79a0e39f9 # bad: [bd2decac7345134ea0bd3f4b978478ef53367cd8] mptcp: ensure subflow is unhashed before cleaning the backlog git bisect bad bd2decac7345134ea0bd3f4b978478ef53367cd8 # bad: [fe3409cd013cfd10d3e6787b49f33a5dda39cffd] RDMA/irdma: Fix op_type reporting in CQEs git bisect bad fe3409cd013cfd10d3e6787b49f33a5dda39cffd # good: [85c38ac62c1372cc1ab05426315aad61025d33ef] atheros: fix return value check in atl1_tso() git bisect good 85c38ac62c1372cc1ab05426315aad61025d33ef # bad: [539cf23cb48835c69cc3d22edff28b92bd82bb18] tipc: stop tipc crypto on failure in tipc_node_create git bisect bad 539cf23cb48835c69cc3d22edff28b92bd82bb18 # good: [1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1] x86/traps: Fix load_unaligned_zeropad() handling for shared TDX memory git bisect good 1ecdbf2467ae4bc4df00c5cfab427cb1aaa5e3e1 # bad: [7218974aba07ff60c646d5a512b02b871402b03e] mm: suppress mm fault logging if fatal signal already pending git bisect bad 7218974aba07ff60c646d5a512b02b871402b03e # good: [89a4d1a89751a0fbd520e64091873e19cc0979e8] netfilter: nft_set_rbtree: fix overlap expiration walk git bisect good 89a4d1a89751a0fbd520e64091873e19cc0979e8 # bad: [268cb07ef3ee17b5454a7c4b23376802c5b00c79] netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID git bisect bad 268cb07ef3ee17b5454a7c4b23376802c5b00c79 # good: [4237462a073e24f71c700f3e5929f07b6ee1bcaa]
Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Processing control commands: > found -1 5.10.191-1 Bug #1051592 [linux] linux: Regression - upgrade to 6.1.52-1 breaks nftables There is no source info for the package 'linux' at version '5.10.191-1' with architecture '' Unable to make a source version for version '5.10.191-1' Marked as found in versions 5.10.191-1. -- 1051592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051592 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Control: found -1 5.10.191-1 On Mon, Sep 11, 2023 at 04:17:46PM +0200, Salvatore Bonaccorso wrote: > Control: tags -1 + confirmed upstream > > Hi, > > On Mon, Sep 11, 2023 at 04:08:07PM +0200, Salvatore Bonaccorso wrote: > > Control: tags -1 - moreinfo unreproducible > > > > Hi Timo, > > > > On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote: > > > Hi, > > > > > > Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00): > > > > > > > Would it be possible to provide a minimal set of rules triggering the > > > > issue? Can you reproduce the issue with the official build? > > > > > > So, I did some more testing on a different machine running the official > > > build. My findings so far are: > > > 1) Yes, I can reproduce the issue with the official build. > > > 2) The issue depends on the ruleset. The minimal ruleset I have on that > > > machine, doesn't trigger the issue, but when I copy over the ruleset from > > > the machine I first observed this on, then I can reproduce it. > > > > > > I'm attaching a somewhat stripped down version of my original, rather > > > complex ruleset. It's by no means a "minimal" reproducer, cause I haven't > > > had the time yet to further reduce it in order to see what actually > > > triggers it. But you should be able to observe that this ruleset loads > > > just fine on linux 6.1.38-4, but doesn't anymore on 6.1.52-1. > > > > Thanks for providing it, this helps debugging the issue. > > > > > I also started looking into what commit could have introduced this. My > > > first guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) > > > is wrong. Even with this one reverted, the issue occurs. I'll try another > > > build with "netfilter: nf_tables: disallow rule addition to bound chain > > > via NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening... > > > > Thanks, as soon we have the introducing commit we can go to the next > > step and check upstream. I cannot trigger the problem with 6.4.13-1 or > > 6.5.2. > > The issue seems to be present already in 6.1.49-rc1, which I had still > from local pareparations for the rebases. So the bisection needs to go > to the upstream versions between 6.1.38 and 6.1.49 at least. Additionally the behaviour change is as well in 5.10.191-1 (and 5.10.193 upstream), whereeas not triggering in 5.10.179. So to be on the safe side making the following statement: either this is a real regression affecting several stable series or there is an intentional upstream change uncovering an issue in ruleset. As the behaviour is not in 6.5.2 for now considering it the first case. Regards, Salvatore
Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Processing control commands: > tags -1 + confirmed upstream Bug #1051592 [linux] linux: Regression - upgrade to 6.1.52-1 breaks nftables Added tag(s) upstream and confirmed. -- 1051592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051592 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Control: tags -1 + confirmed upstream Hi, On Mon, Sep 11, 2023 at 04:08:07PM +0200, Salvatore Bonaccorso wrote: > Control: tags -1 - moreinfo unreproducible > > Hi Timo, > > On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote: > > Hi, > > > > Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00): > > > > > Would it be possible to provide a minimal set of rules triggering the > > > issue? Can you reproduce the issue with the official build? > > > > So, I did some more testing on a different machine running the official > > build. My findings so far are: > > 1) Yes, I can reproduce the issue with the official build. > > 2) The issue depends on the ruleset. The minimal ruleset I have on that > > machine, doesn't trigger the issue, but when I copy over the ruleset from > > the machine I first observed this on, then I can reproduce it. > > > > I'm attaching a somewhat stripped down version of my original, rather > > complex ruleset. It's by no means a "minimal" reproducer, cause I haven't > > had the time yet to further reduce it in order to see what actually > > triggers it. But you should be able to observe that this ruleset loads just > > fine on linux 6.1.38-4, but doesn't anymore on 6.1.52-1. > > Thanks for providing it, this helps debugging the issue. > > > I also started looking into what commit could have introduced this. My > > first guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) is > > wrong. Even with this one reverted, the issue occurs. I'll try another > > build with "netfilter: nf_tables: disallow rule addition to bound chain via > > NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening... > > Thanks, as soon we have the introducing commit we can go to the next > step and check upstream. I cannot trigger the problem with 6.4.13-1 or > 6.5.2. The issue seems to be present already in 6.1.49-rc1, which I had still from local pareparations for the rebases. So the bisection needs to go to the upstream versions between 6.1.38 and 6.1.49 at least. Regards, Salvatore
Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Processing control commands: > tags -1 - moreinfo unreproducible Bug #1051592 [linux] linux: Regression - upgrade to 6.1.52-1 breaks nftables Removed tag(s) moreinfo and unreproducible. -- 1051592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051592 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Control: tags -1 - moreinfo unreproducible Hi Timo, On Mon, Sep 11, 2023 at 03:15:18AM +0200, Timo Sigurdsson wrote: > Hi, > > Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00): > > > Would it be possible to provide a minimal set of rules triggering the > > issue? Can you reproduce the issue with the official build? > > So, I did some more testing on a different machine running the official > build. My findings so far are: > 1) Yes, I can reproduce the issue with the official build. > 2) The issue depends on the ruleset. The minimal ruleset I have on that > machine, doesn't trigger the issue, but when I copy over the ruleset from the > machine I first observed this on, then I can reproduce it. > > I'm attaching a somewhat stripped down version of my original, rather complex > ruleset. It's by no means a "minimal" reproducer, cause I haven't had the > time yet to further reduce it in order to see what actually triggers it. But > you should be able to observe that this ruleset loads just fine on linux > 6.1.38-4, but doesn't anymore on 6.1.52-1. Thanks for providing it, this helps debugging the issue. > I also started looking into what commit could have introduced this. My first > guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) is wrong. > Even with this one reverted, the issue occurs. I'll try another build with > "netfilter: nf_tables: disallow rule addition to bound chain via > NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening... Thanks, as soon we have the introducing commit we can go to the next step and check upstream. I cannot trigger the problem with 6.4.13-1 or 6.5.2. Regards, Salvatore
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Hi,
Salvatore Bonaccorso schrieb am 10.09.2023 12:21 (GMT +02:00):
> Would it be possible to provide a minimal set of rules triggering the
> issue? Can you reproduce the issue with the official build?
So, I did some more testing on a different machine running the official build.
My findings so far are:
1) Yes, I can reproduce the issue with the official build.
2) The issue depends on the ruleset. The minimal ruleset I have on that
machine, doesn't trigger the issue, but when I copy over the ruleset from the
machine I first observed this on, then I can reproduce it.
I'm attaching a somewhat stripped down version of my original, rather complex
ruleset. It's by no means a "minimal" reproducer, cause I haven't had the time
yet to further reduce it in order to see what actually triggers it. But you
should be able to observe that this ruleset loads just fine on linux 6.1.38-4,
but doesn't anymore on 6.1.52-1.
I also started looking into what commit could have introduced this. My first
guess "netfilter: nft_dynset: disallow object maps" (23185c6aed1f) is wrong.
Even with this one reverted, the issue occurs. I'll try another build with
"netfilter: nf_tables: disallow rule addition to bound chain via
NFTA_RULE_CHAIN_ID" (0ebc1064e487) reverted tomorrow evening...
Kind regards,
Timo
P.S.: Regarding the severity: Treat it with whatever severity you see fit. I
was a bit in a hurry and didn't actually look at the definitions for the
different severity options this morning.
#!/usr/sbin/nft -f
flush ruleset
define public_if = eth0
define trusted_if = eth1
define voip_if = eth2.10
define guest_if = eth2.20
define home_if = { $trusted_if, $voip_if, $guest_if }
define home_ipv6_if = { $trusted_if, $voip_if, $guest_if }
define masq_ip = { 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24,
192.168.4.0/24 }
define masq_if = $public_if
define host1_ip = 192.168.1.10
define host2_ip = 192.168.2.20
define host3_ip = 192.168.3.30
define host4_ip = 192.168.4.40
define proxy_port = 8443
define private_ip = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
define private_ip6 = { fe80::/64, fd00::/8 }
define bogons_ip = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16,
198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 }
define bogons_ip6 = { ::/3, 2001:0002::/48, 2001:0003::/32, 2001:10::/28,
2001:20::/28, 2001::/32, 2001:db8::/32, 2002::/16, 3000::/4, 4000::/2, 8000::/1
}
define sip_whitelist_ip6 = { 2001:db8::1/128, 2001:db8::2/128 }
define smtps_whitelist_ip = 10.0.0.1
define protocol_whitelist = { tcp, udp, icmp, ipv6-icmp }
table inet filter {
map if_input {
type ifname : verdict;
elements = { $public_if : jump public_input, $trusted_if : jump
home_input, $voip_if : jump home_input, $guest_if : jump home_input }
}
map if_forward {
type ifname : verdict;
elements = { $public_if : jump public_forward, $trusted_if :
jump trusted_forward, $voip_if : jump voip_forward, $guest_if : jump
guest_forward }
}
map if_output {
type ifname : verdict;
elements = { $public_if : jump public_output, $trusted_if :
jump home_output, $voip_if : jump home_output, $guest_if : jump home_output }
}
set ipv4_blacklist { type ipv4_addr; flags interval; auto-merge; }
set ipv6_blacklist { type ipv6_addr; flags interval; auto-merge; }
set limit_src_ip { type ipv4_addr; flags dynamic, timeout; size 1024; }
set limit_src_ip6 { type ipv6_addr; flags dynamic, timeout; size 1024; }
chain PREROUTING_RAW {
type filter hook prerouting priority raw;
meta l4proto != $protocol_whitelist counter drop
tcp flags syn jump {
tcp option maxseg size 1-500 counter drop
tcp sport 0 counter drop
}
rt type 0 counter drop
}
chain PREROUTING_MANGLE {
type filter hook prerouting priority mangle;
ct state vmap { invalid : jump ct_invalid_pre, untracked : jump
ct_untracked_pre, new : jump ct_new_pre, related : jump rpfilter }
}
chain ct_invalid_pre {
counter drop
}
chain ct_untracked_pre {
icmpv6 type { nd-router-solicit, nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query,
mld2-listener-report } return
counter drop
}
chain ct_new_pre {
jump rpfilter
tcp flags & (fin|syn|rst|ack) != syn counter drop
iifname $public_if meta nfproto vmap { ipv4 : jump
blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 }
}
chain rpfilter {
ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp
dport bootps
Processed: Re: Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Processing control commands: > tags -1 + moreinfo Bug #1051592 [linux] linux: Regression - upgrade to 6.1.52-1 breaks nftables Added tag(s) moreinfo. -- 1051592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051592 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Control: tags -1 + moreinfo Hi On Sun, Sep 10, 2023 at 10:38:45AM +0200, Timo Sigurdsson wrote: > Package: linux > Version: 6.1.52-1 > Severity: grave > > Dear Maintainers, > > linux-image-6.1.0-12-amd64 causes a serious regression in nftables. > After upgrading one of my machines, nftables fails to start - > leaving the system without an active firewall. > > Doing > `nft -cf /etc/nftables.conf' > throws many "Operation not supported" errors on rulesets that have been in > place for months wihtout issues. > > Just to give two simple examples from the log when nftables fails to start: > /etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not > supported > tcp option maxseg size 1-500 counter drop > ^ > /etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not > supported > tcp dport sip-tls accept > > > Downgrading to linux-image-6.1.0-11-amd64 resolves the issue. > > Notes: I'm running a local rebuild of linux-image-amd64 with a few > additional symbols enabled. But since these symbols are totally > unrelated to the netfilter subsystem and there are no changes to the > source itself, I'm certain, this affects the original Debian build > as well. Whether it only affects certain architectures or rulesets, > I can't say, though. > > I'm cc'ing debian-secur...@debian.org because the update came via > the stable-security channel. This is defintively not 'grave' but I keep it for the time beeing at RC level and might be adjusted later. Would it be possible to provide a minimal set of rules triggering the issue? Can you reproduce the issue with the official build? Regards, Salvatore
Bug#1051592: linux: Regression - upgrade to 6.1.52-1 breaks nftables
Package: linux Version: 6.1.52-1 Severity: grave Dear Maintainers, linux-image-6.1.0-12-amd64 causes a serious regression in nftables. After upgrading one of my machines, nftables fails to start - leaving the system without an active firewall. Doing `nft -cf /etc/nftables.conf' throws many "Operation not supported" errors on rulesets that have been in place for months wihtout issues. Just to give two simple examples from the log when nftables fails to start: /etc/nftables.conf:99:4-44: Error: Could not process rule: Operation not supported tcp option maxseg size 1-500 counter drop ^ /etc/nftables.conf:308:4-27: Error: Could not process rule: Operation not supported tcp dport sip-tls accept Downgrading to linux-image-6.1.0-11-amd64 resolves the issue. Notes: I'm running a local rebuild of linux-image-amd64 with a few additional symbols enabled. But since these symbols are totally unrelated to the netfilter subsystem and there are no changes to the source itself, I'm certain, this affects the original Debian build as well. Whether it only affects certain architectures or rulesets, I can't say, though. I'm cc'ing debian-secur...@debian.org because the update came via the stable-security channel. Thanks and regards, Timo
