Ubuntu
linux package

nft cannot load certain rulesets after kernel upgrade

Bug #2035285 reported by Thadeu Lima de Souza Cascardo
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Won't Fix
Undecided
Unassigned
Jammy
Won't Fix
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned
nftables (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]
After kernel fixes for CVE-2023-4147/CVE-2023-3995 were applied, the kernel nftables module does not accept certain bogus rules that were built by the nft tool. A fix for nft was provided to produce rules as now expected by the kernel.

[Test case]
Running nftables testcase 0041chain_binding_0 on linux-5.15.0-83-generic or linux-6.2.0-32-generic will will show the following error:

ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft ./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft

W: [FAILED] ./testcases/chains/0041chain_binding_0: got 1
/dev/stdin:5:25-95: Error: Could not process rule: Operation not supported
                        ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/dev/stdin:6:25-56: Error: Could not process rule: Operation not supported
                        ip6 saddr ::1/128 counter accept
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I: results: [OK] 0 [FAILED] 1 [TOTAL] 1

The expected result is:
ubuntu@jammy2:~/nftables-1.0.2/tests/shell$ sudo NFT=/usr/sbin/nft ./run-tests.sh -g ./testcases/chains/0041chain_binding_0
I: using nft command: /usr/sbin/nft

I: [OK] ./testcases/chains/0041chain_binding_0

I: results: [OK] 1 [FAILED] 0 [TOTAL] 1

Another test case is trying to run nft -f test.nft with the following contents on test.nft:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain PREROUTING_RAW {
                type filter hook prerouting priority raw;

                tcp flags syn jump {
                        tcp option maxseg size 1-500 counter drop
                        tcp sport 0 counter drop
                }
                rt type 0 counter drop
        }
}

A broken nft will produce:
./test.nft:10:4-44: Error: Could not process rule: Operation not supported
                        tcp option maxseg size 1-500 counter drop
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
./test.nft:11:4-27: Error: Could not process rule: Operation not supported
                        tcp sport 0 counter drop
                        ^^^^^^^^^^^^^^^^^^^^^^^^

A fixed nft will produce no output, but a following 'nft list ruleset' command will show:
table inet filter {
        chain PREROUTING_RAW {
                type filter hook prerouting priority raw; policy accept;
                tcp flags syn jump {
                        tcp option maxseg size 1-500 counter packets 0 bytes 0 drop
                        tcp sport 0 counter packets 0 bytes 0 drop
                }
                rt type 0 counter packets 0 bytes 0 drop
        }
}

[Potential regressions]
Users rulesets may fail to load or produce incorrect results, like allowing or denying certain packages in their firewall, for example.

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Upstream nftables commits below apply cleanly on 1.0.6 (lunar upstream version) and produce the correct results.

784597a4ed63b9decb10d74fdb49a1b021e22728
27c753e4a8d4744f479345e3f5e34cafef751602
3975430b12d97c92cdf03753342f2269153d5624

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2035285

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: New → Incomplete
Changed in linux (Ubuntu Lunar):
status: New → Incomplete
Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Jammy):
status: Incomplete → Won't Fix
Changed in linux (Ubuntu Lunar):
status: Incomplete → Won't Fix
Changed in linux (Ubuntu):
status: Incomplete → Won't Fix
Changed in nftables (Ubuntu):
status: New → Invalid
Revision history for this message
Steve Beattie (sbeattie) wrote :

I have prepared an nftables upload for lunar in the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ for people to test and confirm that it addresses the issue; additional work needs to be done for jammy as naively applying the commits results in an nft that segfaults on the 0041chain_binding_0 testcase.

Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 23.04 (Lunar Lobster) has reached end of life, so this bug will not be fixed for that specific release.

Changed in nftables (Ubuntu Lunar):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.