2023-05-23 14:48:24 |
Birgit Edel |
bug |
|
|
added bug |
2023-05-23 14:51:57 |
Birgit Edel |
linux (Ubuntu): status |
New |
Fix Committed |
|
2023-06-15 09:02:56 |
Birgit Edel |
description |
physdev iptables match was broken in a stable update.
A fix is described in upstream releases 5.15.109 and 6.1.26
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
LP: #2015511
LP: #2012665
bridge info discarded after 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
"netfilter: br_netfilter: disable sabotage_in hook after first suppression"
bridge info no longer discarded after 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
"netfilter: br_netfilter: fix recent physdev match breakage"
related module names: xt_physdev nft_meta_bridge br_netfilter |
physdev iptables match was broken in a stable update.
A fix was already committed in upstream releases
5.4.242
5.15.109
6.1.26
6.2.13 / LP: #2023929
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
bug introduced, bridge info discarded
5.4.232 dffe83a198a6c293155f99958e51ab84442424c5 LP: #2011625
5.15.93 89a69216f17005e28bd9a333662dcb3247dd0f56 LP: #2015511
6.1.11 a1512f11ec02458c0986f169f29c90a92c150cc4 LP: #2012665
6.2 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
netfilter: br_netfilter: disable sabotage_in hook after first suppression
fixed, bridge info no longer discarded
5.4.242 36f098e1e4d1a372329c6244b220047a19e60dbd
5.15.109 cb9b96c154a10dd4802b82281c9246eabe081026
6.1.26 ea854a25c8327f51f7ff529b745794a985185563
6.2.13 22134b86de9c2afe28e1f406062cd93bdcac4149
master 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
netfilter: br_netfilter: fix recent physdev match breakage
related module names: xt_physdev nft_meta_bridge br_netfilter |
|
2023-06-15 09:06:11 |
Birgit Edel |
attachment added |
|
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94623f579ce338b5fa61b5acaa5beb8aa657fb9e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=94623f579ce338b5fa61b5acaa5beb8aa657fb9e |
|
2023-07-26 17:50:58 |
Birgit Edel |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
2023-07-26 17:52:38 |
Birgit Edel |
description |
physdev iptables match was broken in a stable update.
A fix was already committed in upstream releases
5.4.242
5.15.109
6.1.26
6.2.13 / LP: #2023929
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
bug introduced, bridge info discarded
5.4.232 dffe83a198a6c293155f99958e51ab84442424c5 LP: #2011625
5.15.93 89a69216f17005e28bd9a333662dcb3247dd0f56 LP: #2015511
6.1.11 a1512f11ec02458c0986f169f29c90a92c150cc4 LP: #2012665
6.2 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
netfilter: br_netfilter: disable sabotage_in hook after first suppression
fixed, bridge info no longer discarded
5.4.242 36f098e1e4d1a372329c6244b220047a19e60dbd
5.15.109 cb9b96c154a10dd4802b82281c9246eabe081026
6.1.26 ea854a25c8327f51f7ff529b745794a985185563
6.2.13 22134b86de9c2afe28e1f406062cd93bdcac4149
master 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
netfilter: br_netfilter: fix recent physdev match breakage
related module names: xt_physdev nft_meta_bridge br_netfilter |
physdev iptables match was broken in a stable update.
A fix was already committed in upstream releases
5.4.242
5.15.109
6.1.26
6.2.13 / LP: #2023929 / LP: #2026752
== Regression details ==
Discovered in version: 5.19.0-42.43~22.04.1
Last known good version: 5.19.0-41.42~22.04.1
How to tell? Add & use a bridge interface, add catchall filter (no -j ACTION needed) see if *any* bridge traffic is tracked:
# iptables -A INPUT -m physdev --physdev-in + -m comment --comment "watch me"
# iptables -nvL INPUT | grep watch
The match behaves as if the matched packets were not bridge traffic, and consistently so: negation works. Security impact highly depends on rule design. KVM hosts, probably.
bug introduced, bridge info discarded
5.4.232 dffe83a198a6c293155f99958e51ab84442424c5 LP: #2011625
5.15.93 89a69216f17005e28bd9a333662dcb3247dd0f56 LP: #2015511
6.1.11 a1512f11ec02458c0986f169f29c90a92c150cc4 LP: #2012665
6.2 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba
netfilter: br_netfilter: disable sabotage_in hook after first suppression
fixed, bridge info no longer discarded
5.4.242 36f098e1e4d1a372329c6244b220047a19e60dbd
5.15.109 cb9b96c154a10dd4802b82281c9246eabe081026
6.1.26 ea854a25c8327f51f7ff529b745794a985185563
6.2.13 22134b86de9c2afe28e1f406062cd93bdcac4149
master 94623f579ce338b5fa61b5acaa5beb8aa657fb9e
netfilter: br_netfilter: fix recent physdev match breakage
related module names: xt_physdev nft_meta_bridge br_netfilter |
|