Re: Regression: Commit "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable
From: Linux regression tracking (Thorsten Leemhuis) <hidden>
Date: 2023-09-29 11:46:58
Also in:
lkml, netfilter-devel, regressions, stable
On 12.09.23 12:27, Florian Westphal wrote:
Linux regression tracking (Thorsten Leemhuis) [off-list ref] wrote:quoted
On 12.09.23 00:57, Pablo Neira Ayuso wrote:quoted
Userspace nftables v1.0.6 generates incorrect bytecode that hits a new kernel check that rejects adding rules to bound chains. The incorrect bytecode adds the chain binding, attach it to the rule and it adds the rules to the chain binding. I have cherry-picked these three patches for nftables v1.0.6 userspace and your ruleset restores fine. [...]Hmmmm. Well, this sounds like a kernel regression to me that normally should be dealt with on the kernel level, as users after updating the kernel should never have to update any userspace stuff to continue what they have been doing before the kernel update.This is a combo of a userspace bug and this new sanity check that rejects the incorrect ordering (adding rules to the already-bound anonymous chain). nf_tables uses a transaction allor-nothing model, this means that any error that occurs during a transaction has to be reverse/undo all the pending changes. This has caused a myriad of bugs already. So while this can be theoretically fixed in the kernel I don't see a sane way to do it. Error unwinding / recovery from deeply nested errors is already too complex for my taste.quoted
Can't the kernel somehow detect the incorrect bytecode and do the right thing(tm) somehow?Theoretically yes, but I don't feel competent enough to do it, just look at all the UaF bugs of the past month.
Thx for the answer. FWIW, as this was a judgement call I mentioned this in my last regression report to Linus; he didn't reply, so I guess it is -- and will remove this issue from my tracking: #regzbot resolve: can be solved by a nftables userspace update; not nice, but likely best solution in this case #regzbot ignore-activity Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page.