iptables physdev match broken via upstream stable patchset 2023-04-06 / v5.15.93, fixed upstream in 5.15.109
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
physdev iptables match was broken in a stable update.
A fix was already committed in upstream releases
5.4.242
5.15.109
6.1.26
6.2.13 / LP: #2023929 / LP: #2026752
== Regression details ==
Discovered in version: 5.19.0-
Last known good version: 5.19.0-
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
bug introduced, bridge info discarded
5.4.232 dffe83a198a6c29
5.15.93 89a69216f17005e
6.1.11 a1512f11ec02458
6.2 2b272bb558f1d3a
netfilter: br_netfilter: disable sabotage_in hook after first suppression
fixed, bridge info no longer discarded
5.4.242 36f098e1e4d1a37
5.15.109 cb9b96c154a10dd
6.1.26 ea854a25c8327f5
6.2.13 22134b86de9c2af
master 94623f579ce338b
netfilter: br_netfilter: fix recent physdev match breakage
related module names: xt_physdev nft_meta_bridge br_netfilter
| Changed in linux (Ubuntu): | |
| status: | New → Fix Committed |
| Birgit Edel (biredel) wrote | #2 |
| Changed in linux (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| description: | updated |
Fixed in:
Ubuntu 6.2.0-26.
Available on jammy via:
linux-image-