[pkg-netfilter-team] Bug#994273: More info

Thu Oct 7 22:50:11 BST 2021

On 2021-10-08, at 06:42:29 +1000, Harry STARR wrote:
> > I'll send a patch upstream.
>
> I have noticed that on Gentoo and Arch this seems to be resolved.
> They are using a version > 1.0.x
>
> Maybe already fixed upstream...

The bug that I believe is responsible is in this if-block:

  https://git.netfilter.org/nftables/tree/src/rule.c#n372

When listing a set, nft will set the `stateless` flag in order to
suppress the state of any counters it defines.  However, it doesn't keep
track of whether the flag was already set and clears it unconditionally
afterwards.  It has not yet been fixed upstream.

The buggy commit was released in 0.9.4, which is why you saw it after
upgrading from buster (0.9.0-2) to bullseye (0.9.8-3.1).

Here's the fix I've sent upstream:

  https://lore.kernel.org/netfilter-devel/20211007201222.2613750-3-jeremy@azazel.net/T/#u

I'm not that familiar with Arch or Gentoo, but from what I can see
looking through their package repo's and bug-trackers, they don't seem
to be carrying patches for this.

Here's the stateless output from your example with some annotation:

*** The stateless flag is set on the command-line. ***

  table ip filter {
        set bad_guys {
                type ipv4_addr
                size 65535
*** Here we set the stateless flag. ***
                counter
*** Here we clear it. ***
                timeout 31m
        }

        set black {
                type ipv4_addr
                size 65535
                flags interval
*** Here we set the stateless flag. ***
                counter
*** Here we clear it. ***
                elements = { 1.2.3.4 counter packets 0 bytes 0, 5.6.7.0/24 counter packets 0 bytes 0 }
        }

        set dns_black {
                type ipv4_addr
                size 65535
*** Here we set the stateless flag. ***
                counter
*** Here we clear it. ***
                timeout 1d
                elements = { 192.168.0.100 counter packets 0 bytes 0 expires 22h58m48s84ms }
        }

        chain INPUT {
                type filter hook input priority filter; policy drop;
                ip saddr @bad_guys counter packets 0 bytes 0 drop
                ct state invalid counter packets 22 bytes 3204 drop
                ct state established,related counter packets 351 bytes 28667 accept
                iifname "lo" counter packets 0 bytes 0 accept
                ip saddr @black counter packets 0 bytes 0 drop
                ip saddr 192.168.0.0/16 counter packets 69 bytes 6558 accept
                iifname "ge0" udp sport 67-68 udp dport 67-68 counter packets 8 bytes 2696 accept
                udp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                tcp dport 53 ip saddr @dns_black counter packets 0 bytes 0 drop
                udp dport 53 counter packets 0 bytes 0 accept
                tcp dport 53 counter packets 0 bytes 0 accept
                fib daddr type multicast counter packets 0 bytes 0 drop
                add @bad_guys { ip saddr } log level debug counter packets 0 bytes 0 drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
  }

Once the first set ("bad_guys") has been output, the original record of
the `stateless` flag has been lost and the only stateful objects output
with no state are the counters in the three sets where the flag is
explicitly set.

J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20211007/50cddf38/attachment.sig>