Description of problem: iptables-1.4.21-34.el7.x86_64 is affected by this bug: https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1 The queue-cpu-fanout option should be passed last. Version-Release number of selected component (if applicable): iptables-1.4.21-34.el7.x86_64 How reproducible: Always reproducible Steps to Reproduce: 1. iptables -A INPUT -m mark --mark 0x10/0x10 -j NFQUEUE --queue-balance 0:1 --queue-cpu-fanout --queue-bypass 2.iptables -nL INPUT | tail -1 Actual results: NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x10/0x10 NFQUEUE balance 0:1 bypass (queue-cpu-fanout is missing) Expected results: NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x10/0x10 NFQUEUE balance 0:1 bypass cpu-fanout Additional info:
Hi Filippo, Thanks for the report! Trivial upstream commit to backport: commit d1555a0906e35ba8d170613d5a43da64e527dbe1 Author: Shivani Bhardwaj <shivanib134> Date: Thu Apr 14 20:55:58 2016 +0530 extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass NFQUEUE had a bug with the ordering of fanout and bypass options which was arising due to same and odd values for flags and bypass when used together. Because of this, during bitwise ANDing of flags and NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option whenever it was used before bypass because then flags would be 1. Before this patch, $ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass Chain FORWARD (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass After this patch, Chain FORWARD (policy ACCEPT) target prot opt source destination NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939 Suggested-by: Pablo Neira Ayuso <pablo> Signed-off-by: Shivani Bhardwaj <shivanib134> Signed-off-by: Pablo Neira Ayuso <pablo> Tomas, please consider this ticket for qa_ack+.
Filippo, As we are pretty late in RHEL7.9 release phase, there is some resistance to accepting this bug for the release. Are you OK with this being a known issue in RHEL7 and the fact that RHEL8 is not affected? Sorting the arguments passed to NFQUEUE target allow to work around the bug. Cheers, Phil
Fine with me. I've already worked around the problem passing the queue-cpu-fanout last. Users of shorewall will be affected by the bug, I've notified them: https://sourceforge.net/p/shorewall/mailman/message/37049018/ Thank you.
Hi Filippo, (In reply to Filippo Carletti from comment #6) > Fine with me. > I've already worked around the problem passing the queue-cpu-fanout last. > Users of shorewall will be affected by the bug, I've notified them: > https://sourceforge.net/p/shorewall/mailman/message/37049018/ Thanks for notifying Shorewall developers.