net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_mark.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
These were added with the wrong family in 4cdc55e, which seems
to just have been a typo, but now ip6tables rules with --set-mark
don't work anymore, which is pretty bad.
Fixes: 4cdc55ec6222 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
Signed-off-by: Ilya Katsnelson <me@0upti.me>
---
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_mark.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
{
.name = "NFLOG",
.revision = 0,
- .family = NFPROTO_IPV4,
+ .family = NFPROTO_IPV6,
.checkentry = nflog_tg_check,
.destroy = nflog_tg_destroy,
.target = nflog_tg,
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
{
.name = "MARK",
.revision = 2,
- .family = NFPROTO_IPV4,
+ .family = NFPROTO_IPV6,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
---
base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
change-id: 20241018-xtables-typos-dfeadb8b122d
Best regards,
--
Ilya Katsnelson <me@0upti.me>Hi Ilya,
On 18/10/2024 17:45, Ilya Katsnelson wrote:
> These were added with the wrong family in 4cdc55e, which seems
> to just have been a typo, but now ip6tables rules with --set-mark
> don't work anymore, which is pretty bad.
Funny, with this patch, now the v4 version doesn't work any more, which
is pretty bad as well ;-)
More seriously, it looks like your patch broke MPTCP selftests:
https://netdev-3.bots.linux.dev/vmksft-mptcp-dbg/results/826643/1-mptcp-join-sh/stdout
Two tests are now failing, because they can no longer add a mark:
> # iptables -t mangle -A OUTPUT -j MARK --set-mark 1
> Warning: Extension MARK revision 0 not supported, missing kernel module?
> iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
Please see below:
> diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
> index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644
> --- a/net/netfilter/xt_NFLOG.c
> +++ b/net/netfilter/xt_NFLOG.c
> @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
> {
> .name = "NFLOG",
> .revision = 0,
> - .family = NFPROTO_IPV4,
> + .family = NFPROTO_IPV6,
Here, by setting the family to v6 instead of v4, we now have two targets
that are exactly the same, both for v6:
> 67 │ static struct xt_target nflog_tg_reg[] __read_mostly = {
> 68 │ {
> 69 │ .name = "NFLOG",
> 70 │ .revision = 0,
> 71 │ .family = NFPROTO_IPV6, /* <== The line you modified */
> 72 │ .checkentry = nflog_tg_check,
> 73 │ .destroy = nflog_tg_destroy,
> 74 │ .target = nflog_tg,
> 75 │ .targetsize = sizeof(struct xt_nflog_info),
> 76 │ .me = THIS_MODULE,
> 77 │ },
> 78 │ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> 79 │ {
> 80 │ .name = "NFLOG",
> 81 │ .revision = 0,
> 82 │ .family = NFPROTO_IPV6, /* <== v6 was already there */
> 83 │ .checkentry = nflog_tg_check,
> 84 │ .destroy = nflog_tg_destroy,
> 85 │ .target = nflog_tg,
> 86 │ .targetsize = sizeof(struct xt_nflog_info),
> 87 │ .me = THIS_MODULE,
> 88 │ },
> 89 │ #endif
> 90 │ };
Are you sure you didn't have the bug you mentioned because your kernel
config doesn't have CONFIG_IP6_NF_IPTABLES?
> .checkentry = nflog_tg_check,
> .destroy = nflog_tg_destroy,
> .target = nflog_tg,
> diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
> index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644
> --- a/net/netfilter/xt_mark.c
> +++ b/net/netfilter/xt_mark.c
> @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
> {
> .name = "MARK",
> .revision = 2,
> - .family = NFPROTO_IPV4,
> + .family = NFPROTO_IPV6,
Same here.
So I think this patch is not needed, right?
> .target = mark_tg,
> .targetsize = sizeof(struct xt_mark_tginfo2),
> .me = THIS_MODULE,
>
> ---
> base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5
> change-id: 20241018-xtables-typos-dfeadb8b122d
>
> Best regards,
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
On Fri, Oct 18, 2024 at 06:45:00PM +0300, Ilya Katsnelson wrote:
> These were added with the wrong family in 4cdc55e, which seems
> to just have been a typo, but now ip6tables rules with --set-mark
> don't work anymore, which is pretty bad.
>
> Fixes: 4cdc55ec6222 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
On my system, the commit is 0bfcb7b71e735560077a42847f69597ec7dcc326. Is
that correct?
> Signed-off-by: Ilya Katsnelson <me@0upti.me>
Reviewed-by: Phil Sutter <phil@nwl.cc>
© 2016 - 2024 Red Hat, Inc.