Bug 1019743

Summary: No more PHYSIN in iptables INPUT rules
Product: [Fedora] Fedora Reporter: Rolf Fokkens <rolf>
Component: kernelAssignee: fedora-kernel-networking
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: gansalmon, itamar, jonathan, jsiero, kernel-maint, madhu.chinakonda, marcelo.barbosa, michele, rolf
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-03 22:37:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rolf Fokkens 2013-10-16 10:43:13 UTC 
Description of problem:
Since upgrading to Fedora 19 kernel iptables processing apparently no longer has the notion of a PHYSIN device (in case of a bridge interface) for INPUT rules. PHYSIN is no longer available in iptables logging, nor is it matched by any rules.

Version-Release number of selected component (if applicable):
kernel-3.11.3-201.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Add iptables rules like this:
   iptables -I INPUT -i br1 -m conntrack --ctstate NEW  -j LOG --log-prefix NOPHYSIN
   iptables -I INPUT -i br1 -m conntrack --ctstate NEW  -m physdev --physdev-in vnet+ -j LOG --log-prefix PHYSIN
2. Note that in the logging shows only NOPHYSIN messages and no PHYSIN messages
3. Note that the counters for the first rule are updated while the counters for the second remain 0

Actual results:
Firewall rules suddenly not matching

Expected results:
Firewall rules matching as before

Additional info:
Previous (working kernel): kernel-3.9.4-200.fc18.x86_64

A selection from our syslog demonstrates the issue. At about 10:10:00 the system was rebooted, after that PHSYIN is lost for INPUT rules:

Oct 14 09:49:11 kvm02 kernel: [1552500.679452] iptables:DROPREST:IN=br1 OUT= PHYSIN=vnet4 MAC=c8:60:00:8a:5b:6a:52:54:00:9c:c5:fb:08:00 SRC=129.125.100.130 DST=129.125.100.102 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 14 10:05:01 kvm02 kernel: [1553450.653313] iptables:DROPREST:IN=br1 OUT= PHYSIN=em1 MAC=c8:60:00:8a:5b:6a:00:d0:00:97:4c:00:08:00 SRC=178.32.8.224 DST=129.125.100.102 LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=5582 PROTO=TCP SPT=111 DPT=29609 WINDOW=16384 RES=0x00 ACK SYN 
URGP=0 
Oct 14 10:12:12 kvm02 kernel: [   32.913511] iptables:DROPREST:IN=br1 OUT= MAC=c8:60:00:8a:5b:6a:00:d0:00:97:4c:00:08:00 SRC=122.136.196.116 DST=129.125.100.102 LEN=82 TOS=0x00 PREC=0x00 TTL=114 ID=13667 PROTO=UDP SPT=18485 DPT=53 LEN=62 
Oct 14 10:19:25 kvm02 kernel: [  465.852664] iptables:DROPREST:IN=br1 OUT= MAC=c8:60:00:8a:5b:6a:52:54:00:9c:c5:fb:08:00 SRC=129.125.100.130 DST=129.125.100.102 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=44769 DF PROTO=UDP SPT=41923 DPT=53 LEN=50
Comment 1 Rolf Fokkens 2013-10-25 10:43:56 UTC 
In kernel-3.11.6-200.fc19.x86_64 the issue seems to be gone; PHYSIN is back for INPUT rules.
Comment 2 Michele Baldessari 2013-11-02 10:01:50 UTC 
Hi Rolf,

I don't see any relevant changes in there in the netfilter code:
$ git lg --no-merges v3.11.3..v3.11.6 net/netfilter/
* c660973 - (2013-10-13 18:14:25 -0700)  ip: generate unique IP identificator if local fragmentation is allowed <Ansis Atteka>

Unless the issue stems from somewhere else of course ;)

Can you close this BZ if the issue is gone, please?

Thanks and regards,
Michele
Comment 3 Rolf Fokkens 2013-11-03 22:37:18 UTC 
Hi Michele,

The issue sure was there, but with the latest kernel it's gone indeed.

I'll close the bug.

Thanks,

Rolf