[pkg-netfilter-team] Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

Pierre Chifflier pollux at debian.org
Mon Nov 5 12:08:15 GMT 2018


Package: iptables
Version: 1.8.1-2
Severity: grave
Tags: security
Justification: breaks rules, inserts pass-all rules
X-Debbugs-Cc: team at security.debian.org, secure-testing-team at lists.alioth.debian.org

Hi,

The debian package for iptables now transparently converts inserted
rules to nftables, which is great.

However, some keywords are not supported (like the 'policy' keyword for
IPsec transforms). The bad part is, these rules are inserted
*without* the matches, which makes in some cases your firewall useless.

For ex:
# iptables -F
# iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o eth0 -j ACCEPT
# echo $?
0
# nft list ruleset
<cut>
	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		oifname "eth0"  counter packets 90 bytes 26085 accept
	}
}

As you can see, the inserted rule allows everything, while the expected
behavior would be 'only if going through an IPsec tunnel'.
Even worse: inserting the rule did not fail.

Until the 'ipsec' (or 'secpath') keyword works properly (and supports
all options), an acceptable behavior would be to reject the rule if one
or more keywords are not supported by nftables.

Regards,
Pierre



More information about the pkg-netfilter-team mailing list