1715848 – TestOnly: RFE: backport setting secmark support

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1715848 - TestOnly: RFE: backport setting secmark support

Summary: TestOnly: RFE: backport setting secmark support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nftables
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Phil Sutter
QA Contact:	yiche
Docs Contact:
URL:
Whiteboard:
Depends On:	1715851
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-31 12:44 UTC by Eric Garver
Modified:	2022-05-24 11:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nftables-0.9.3-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1715851 (view as bug list)
Environment:
Last Closed:	2020-04-28 16:41:51 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-30191	0	None	None	None	2022-05-24 11:41:24 UTC
Red Hat Product Errata	RHEA-2020:1774	0	None	None	None	2020-04-28 16:42:10 UTC

Comment 2 Phil Sutter 2019-10-30 19:22:32 UTC

Userspace bits were added already as part of package rebase, hence marking this one TestOnly. Kernel bits are not there yet, though.

Comment 3 Phil Sutter 2019-10-31 12:36:19 UTC

Removing TestOnly keyword again: Syntax in output is not understood by nft anymore, so using secmark support creates rulesets which may not be fed back into nft anymore. Sadly this is consistent with upstream.

Comment 4 mhickman 2019-11-04 20:42:36 UTC

Hi. What is the status of secmark support? It appears from testing that the iptables wrapper will create secmark rules that work, though nft won't show (or create) them, and the wrapper lists them as commented out.

Comment 5 Phil Sutter 2019-11-24 01:19:08 UTC

(In reply to Phil Sutter from comment #3)
> Removing TestOnly keyword again: Syntax in output is not understood by nft
> anymore, so using secmark support creates rulesets which may not be fed back
> into nft anymore. Sadly this is consistent with upstream.

Should be fixed upstream:

commit 3a7bdd02207f7ae6cd74af8c313d6d0f8f66f4be
Author: Christian Göttsche <cgzones>
Date:   Wed Nov 20 18:43:54 2019 +0100

    statement: make secmark statements idempotent
    
    Currently lines like
    
        ct state new meta secmark set tcp dport map @secmapping_in
    
    becomes
    
        ct state new secmark name tcp dport map @secmapping_in
    
    which is not correct.
    
    Fixes: 3bc84e5c1fdd ("src: add support for setting secmark")
    Signed-off-by: Christian Göttsche <cgzones>
    Signed-off-by: Pablo Neira Ayuso <pablo>

Comment 6 Phil Sutter 2019-11-24 01:22:57 UTC

Hi,

(In reply to mhickman from comment #4)
> Hi. What is the status of secmark support? It appears from testing that the
> iptables wrapper will create secmark rules that work, though nft won't show
> (or create) them, and the wrapper lists them as commented out.

Yes, it is supported in iptables-nft (which uses xt_secmark module) but not in
nftables yet. The latter requires a kernel change and fresh nftables tool, both
will be available in RHEL8.2.

Cheers, Phil

Comment 7 Phil Sutter 2019-11-26 21:40:25 UTC

To support ct secmark setting, another follow-up is required:

commit 2250296370752e516dc367f1239753b15efbea94
Author: Christian Göttsche <cgzones>
Date:   Sat Nov 23 17:22:39 2019 +0100

    src: add ability to set/get secmarks to/from connection
    
    Labeling established and related packets requires the secmark to be stored in the connection.
    Add the ability to store and retrieve secmarks like:
    
        ...
        chain input {
            ...
    
            # label new incoming packets
            ct state new meta secmark set tcp dport map @secmapping_in
    
            # add label to connection
            ct state new ct secmark set meta secmark
    
            # set label for est/rel packets from connection
            ct state established,related meta secmark set ct secmark
    
            ...
        }
        ...
        chain output {
            ...
    
            # label new outgoing packets
            ct state new meta secmark set tcp dport map @secmapping_out
    
            # add label to connection
            ct state new ct secmark set meta secmark
    
            # set label for est/rel packets from connection
            ct state established,related meta secmark set ct secmark
    
            ...
            }
        ...
    
    This patch also disallow constant value on the right hand side.
    
        # nft add rule x y meta secmark 12
        Error: Cannot be used with right hand side constant value
        add rule x y meta secmark 12
                     ~~~~~~~~~~~~ ^^
        # nft add rule x y ct secmark 12
        Error: Cannot be used with right hand side constant value
        add rule x y ct secmark 12
                     ~~~~~~~~~~ ^^
        # nft add rule x y ct secmark set 12
        Error: ct secmark must not be set to constant value
        add rule x y ct secmark set 12
                     ^^^^^^^^^^^^^^^^^
    
    This patch improves 3bc84e5c1fdd ("src: add support for setting secmark").
    
    Signed-off-by: Christian Göttsche <cgzones>
    Signed-off-by: Pablo Neira Ayuso <pablo>

Comment 8 Phil Sutter 2019-11-26 22:34:02 UTC

Yiche, you're assigned to the kernel counterpart (bug 1715851), are you willing to test userspace bits covered by this ticket along the way?

Comment 9 yiche 2019-11-27 07:07:53 UTC

Ok, I will also cover this ticket. Setting meta secmark/ct secmark in input/output chain.

Comment 10 yiche 2019-11-27 08:07:34 UTC

Mark the discussion as reference: https://www.spinics.net/lists/netfilter-devel/msg56112.html

Comment 11 Phil Sutter 2019-12-03 17:11:09 UTC

Mentioned upstream commits implicitly backported by rebase to 0.9.3.

Comment 12 yiche 2019-12-04 09:26:14 UTC

Add SETS which type secmark failed:
# nft add table ip filter
# nft add map ip filter secmapping { type inet_service : secmark \; }
Error: Could not process rule: Invalid argument
add map ip filter secmapping { type inet_service : secmark ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# uname -r
4.18.0-157.el8.x86_64

# rpm -q nftables
nftables-0.9.3-3.el8.x86_64

# rpm -q libnftnl
libnftnl-1.1.5-1.el8.x86_64

Comment 13 Phil Sutter 2019-12-04 13:32:31 UTC

Hi Yiche,

(In reply to yiche from comment #12)
> Add SETS which type secmark failed:
> # nft add table ip filter
> # nft add map ip filter secmapping { type inet_service : secmark \; }
> Error: Could not process rule: Invalid argument
> add map ip filter secmapping { type inet_service : secmark ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> # uname -r
> 4.18.0-157.el8.x86_64
> 
> # rpm -q nftables
> nftables-0.9.3-3.el8.x86_64
> 
> # rpm -q libnftnl
> libnftnl-1.1.5-1.el8.x86_64

Please note that Bug 1715851 which this ticket depends on is still in POST state - due to recent feature freeze it had to wait for exception+. So in order to test the tickets, you'll have to wait for a newer kernel.

OTOH, I'm not sure if the syntax used above will be allowed. Please also refer to testing instructions given in Bug 1715851, secmark is treated as a special object not just a set/map datatype. (Don't ask me why it is so complicated. ;)

Cheers, Phil

Comment 14 yiche 2019-12-05 06:14:30 UTC

Thank Phil point out dependency.
Accroding to https://www.spinics.net/lists/netfilter-devel/msg64148.html. 
A map like:
map secmapping_in {
	type inet_service : secmark
	elements = { 22 : "ssh_server" }
}
should be allowed.

Comment 22 errata-xmlrpc 2020-04-28 16:41:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1774

Note You need to log in before you can comment on or make changes to this bug.