Bug 1930723
| Summary: | regression: arbitrary ipv6 mask not supported anymore | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Enrico Scholz <rh-bugzilla> |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Štěpán Němec <snemec> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | atragler, jiji, kzhang, psutter, snemec, todoleza |
| Target Milestone: | rc | Keywords: | Triaged, Upstream |
| Target Release: | 8.5 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | iptables-1.8.4-18.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:54:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Enrico Scholz
2021-02-19 13:02:18 UTC
Thanks for the report! This is a userspace bug, so kernel is unrelated. Downgrading iptables RPM (if available) should avoid it even in newer kernels. Fix sent upstream: https://lore.kernel.org/netfilter-devel/20210219165726.20986-1-phil@nwl.cc/T/#u iptables-translate is problematic, too:
# iptables-translate -A FORWARD -s 10.11.12.13/255.0.255.0
nft add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter
# nft add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter
Error: syntax error, unexpected string, expecting number
add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter
^^^^^^^^^^^
Fix for xtables-translate also submitted upstream: https://lore.kernel.org/netfilter-devel/20210302143010.3362-1-phil@nwl.cc/ Upstream commits to backport:
commit 330f5df03ad589b46865ceedf2a54cf10a4225ba
Author: Phil Sutter <phil>
Date: Fri Feb 19 16:54:57 2021 +0100
nft: Fix bitwise expression avoidance detection
Byte-boundary prefix detection was too sloppy: Any data following the
first zero-byte was ignored. Add a follow-up loop making sure there are
no stray bits in the designated host part.
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
Signed-off-by: Phil Sutter <phil>
commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae
Author: Phil Sutter <phil>
Date: Tue Mar 2 14:50:07 2021 +0100
xtables-translate: Fix translation of odd netmasks
Iptables supports netmasks which are not prefixes to match on (or
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
available for real prefixes only, so translation is not as trivial -
print bitmask syntax for those cases.
Signed-off-by: Phil Sutter <phil>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iptables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4468 |