iptables physdev match broken via upstream stable patchset 2023-04-06 / v5.15.93, fixed upstream in 5.15.109
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
physdev iptables match was broken in a stable update.
A fix was already committed in upstream releases
5.4.242
5.15.109
6.1.26
6.2.13 / LP: #2023929 / LP: #2026752
== Regression details ==
Discovered in version: 5.19.0-
Last known good version: 5.19.0-
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
bug introduced, bridge info discarded
5.4.232 dffe83a198a6c29
5.15.93 89a69216f17005e
6.1.11 a1512f11ec02458
6.2 2b272bb558f1d3a
netfilter: br_netfilter: disable sabotage_in hook after first suppression
fixed, bridge info no longer discarded
5.4.242 36f098e1e4d1a37
5.15.109 cb9b96c154a10dd
6.1.26 ea854a25c8327f5
6.2.13 22134b86de9c2af
master 94623f579ce338b
netfilter: br_netfilter: fix recent physdev match breakage
related module names: xt_physdev nft_meta_bridge br_netfilter
Changed in linux (Ubuntu): | |
status: | New → Fix Committed |
Fixed in: 26~22.04. 1-generic 6.2.13 generic- hwe-22. 04-edge
Ubuntu 6.2.0-26.
Available on jammy via:
linux-image-