Bug 1851944
| Summary: | libxt_NFQUEUE: Fix bug with order of fanout and bypass | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Filippo Carletti <filippo.carletti> |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
| Severity: | unspecified | Docs Contact: | Sagar Dubewar <sdubewar> |
| Priority: | unspecified | ||
| Version: | 7.8 | CC: | iptables-maint-list, mmuehlfe, psutter, sdubewar, todoleza |
| Target Milestone: | rc | Keywords: | Upstream |
| Target Release: | 7.9 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
.The `NFQUEUE` target overrides `queue-cpu-fanout` flag
iptables `NFQUEUE` target using `--queue-bypass` and `--queue-cpu-fanout` options accidentally overrides the `--queue-cpu-fanout` option if ordered after the `--queue-bypass` option. Consequently, the `--queue-cpu-fanout` option is ignored.
To work around this problem, rearrange the `--queue-bypass` option before `--queue-cpu-fanout` option.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-29 17:02:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Filippo Carletti
2020-06-29 13:50:04 UTC
Hi Filippo,
Thanks for the report!
Trivial upstream commit to backport:
commit d1555a0906e35ba8d170613d5a43da64e527dbe1
Author: Shivani Bhardwaj <shivanib134>
Date: Thu Apr 14 20:55:58 2016 +0530
extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
Before this patch,
$ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass
After this patch,
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout
Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
Suggested-by: Pablo Neira Ayuso <pablo>
Signed-off-by: Shivani Bhardwaj <shivanib134>
Signed-off-by: Pablo Neira Ayuso <pablo>
Tomas, please consider this ticket for qa_ack+.
Filippo, As we are pretty late in RHEL7.9 release phase, there is some resistance to accepting this bug for the release. Are you OK with this being a known issue in RHEL7 and the fact that RHEL8 is not affected? Sorting the arguments passed to NFQUEUE target allow to work around the bug. Cheers, Phil Fine with me. I've already worked around the problem passing the queue-cpu-fanout last. Users of shorewall will be affected by the bug, I've notified them: https://sourceforge.net/p/shorewall/mailman/message/37049018/ Thank you. Hi Filippo, (In reply to Filippo Carletti from comment #6) > Fine with me. > I've already worked around the problem passing the queue-cpu-fanout last. > Users of shorewall will be affected by the bug, I've notified them: > https://sourceforge.net/p/shorewall/mailman/message/37049018/ Thanks for notifying Shorewall developers. |