1019743 – No more PHYSIN in iptables INPUT rules

Bug 1019743 - No more PHYSIN in iptables INPUT rules

Summary: No more PHYSIN in iptables INPUT rules

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	fedora-kernel-networking
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-16 10:43 UTC by Rolf Fokkens
Modified:	2013-11-03 22:37 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-03 22:37:18 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rolf Fokkens 2013-10-16 10:43:13 UTC

Description of problem:
Since upgrading to Fedora 19 kernel iptables processing apparently no longer has the notion of a PHYSIN device (in case of a bridge interface) for INPUT rules. PHYSIN is no longer available in iptables logging, nor is it matched by any rules.

Version-Release number of selected component (if applicable):
kernel-3.11.3-201.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Add iptables rules like this:
   iptables -I INPUT -i br1 -m conntrack --ctstate NEW  -j LOG --log-prefix NOPHYSIN
   iptables -I INPUT -i br1 -m conntrack --ctstate NEW  -m physdev --physdev-in vnet+ -j LOG --log-prefix PHYSIN
2. Note that in the logging shows only NOPHYSIN messages and no PHYSIN messages
3. Note that the counters for the first rule are updated while the counters for the second remain 0

Actual results:
Firewall rules suddenly not matching

Expected results:
Firewall rules matching as before

Additional info:
Previous (working kernel): kernel-3.9.4-200.fc18.x86_64

A selection from our syslog demonstrates the issue. At about 10:10:00 the system was rebooted, after that PHSYIN is lost for INPUT rules:

Oct 14 09:49:11 kvm02 kernel: [1552500.679452] iptables:DROPREST:IN=br1 OUT= PHYSIN=vnet4 MAC=c8:60:00:8a:5b:6a:52:54:00:9c:c5:fb:08:00 SRC=129.125.100.130 DST=129.125.100.102 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 14 10:05:01 kvm02 kernel: [1553450.653313] iptables:DROPREST:IN=br1 OUT= PHYSIN=em1 MAC=c8:60:00:8a:5b:6a:00:d0:00:97:4c:00:08:00 SRC=178.32.8.224 DST=129.125.100.102 LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=5582 PROTO=TCP SPT=111 DPT=29609 WINDOW=16384 RES=0x00 ACK SYN 
URGP=0 
Oct 14 10:12:12 kvm02 kernel: [   32.913511] iptables:DROPREST:IN=br1 OUT= MAC=c8:60:00:8a:5b:6a:00:d0:00:97:4c:00:08:00 SRC=122.136.196.116 DST=129.125.100.102 LEN=82 TOS=0x00 PREC=0x00 TTL=114 ID=13667 PROTO=UDP SPT=18485 DPT=53 LEN=62 
Oct 14 10:19:25 kvm02 kernel: [  465.852664] iptables:DROPREST:IN=br1 OUT= MAC=c8:60:00:8a:5b:6a:52:54:00:9c:c5:fb:08:00 SRC=129.125.100.130 DST=129.125.100.102 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=44769 DF PROTO=UDP SPT=41923 DPT=53 LEN=50

Comment 1 Rolf Fokkens 2013-10-25 10:43:56 UTC

In kernel-3.11.6-200.fc19.x86_64 the issue seems to be gone; PHYSIN is back for INPUT rules.

Comment 2 Michele Baldessari 2013-11-02 10:01:50 UTC

Hi Rolf,

I don't see any relevant changes in there in the netfilter code:
$ git lg --no-merges v3.11.3..v3.11.6 net/netfilter/
* c660973 - (2013-10-13 18:14:25 -0700)  ip: generate unique IP identificator if local fragmentation is allowed <Ansis Atteka>

Unless the issue stems from somewhere else of course ;)

Can you close this BZ if the issue is gone, please?

Thanks and regards,
Michele

Comment 3 Rolf Fokkens 2013-11-03 22:37:18 UTC

Hi Michele,

The issue sure was there, but with the latest kernel it's gone indeed.

I'll close the bug.

Thanks,

Rolf

Note You need to log in before you can comment on or make changes to this bug.