nft cannot load certain rulesets after kernel upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Jammy |
Won't Fix
|
Undecided
|
Unassigned | ||
Lunar |
Won't Fix
|
Undecided
|
Unassigned | ||
nftables (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
Lunar |
New
|
Undecided
|
Unassigned |
Bug Description
[Impact]
After kernel fixes for CVE-2023-
[Test case]
Running nftables testcase 0041chain_binding_0 on linux-5.
ubuntu@
I: using nft command: /usr/sbin/nft
W: [FAILED] ./testcases/
/dev/stdin:5:25-95: Error: Could not process rule: Operation not supported
/dev/stdin:6:25-56: Error: Could not process rule: Operation not supported
I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
The expected result is:
ubuntu@
I: using nft command: /usr/sbin/nft
I: [OK] ./testcases/
I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Another test case is trying to run nft -f test.nft with the following contents on test.nft:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain PREROUTING_RAW {
tcp flags syn jump {
}
rt type 0 counter drop
}
}
A broken nft will produce:
./test.nft:10:4-44: Error: Could not process rule: Operation not supported
./test.nft:11:4-27: Error: Could not process rule: Operation not supported
A fixed nft will produce no output, but a following 'nft list ruleset' command will show:
table inet filter {
chain PREROUTING_RAW {
tcp flags syn jump {
}
rt type 0 counter packets 0 bytes 0 drop
}
}
[Potential regressions]
Users rulesets may fail to load or produce incorrect results, like allowing or denying certain packages in their firewall, for example.
Changed in linux (Ubuntu Jammy): | |
status: | Incomplete → Won't Fix |
Changed in linux (Ubuntu Lunar): | |
status: | Incomplete → Won't Fix |
Changed in linux (Ubuntu): | |
status: | Incomplete → Won't Fix |
Changed in nftables (Ubuntu): | |
status: | New → Invalid |
Upstream nftables commits below apply cleanly on 1.0.6 (lunar upstream version) and produce the correct results.
784597a4ed63b9d ecb10d74fdb49a1 b021e22728 f479345e3f5e34c afef751602 2cdf03753342f22 69153d5624
27c753e4a8d4744
3975430b12d97c9