RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1851944 - libxt_NFQUEUE: Fix bug with order of fanout and bypass
Summary: libxt_NFQUEUE: Fix bug with order of fanout and bypass
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables
Version: 7.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.9
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
Sagar Dubewar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-29 13:50 UTC by Filippo Carletti
Modified: 2020-07-13 07:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.The `NFQUEUE` target overrides `queue-cpu-fanout` flag iptables `NFQUEUE` target using `--queue-bypass` and `--queue-cpu-fanout` options accidentally overrides the `--queue-cpu-fanout` option if ordered after the `--queue-bypass` option. Consequently, the `--queue-cpu-fanout` option is ignored. To work around this problem, rearrange the `--queue-bypass` option before `--queue-cpu-fanout` option.
Clone Of:
Environment:
Last Closed: 2020-06-29 17:02:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Filippo Carletti 2020-06-29 13:50:04 UTC 
Description of problem:

iptables-1.4.21-34.el7.x86_64 is affected by this bug:
https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1
The queue-cpu-fanout option should be passed last.

Version-Release number of selected component (if applicable):

iptables-1.4.21-34.el7.x86_64

How reproducible:

Always reproducible

Steps to Reproduce:
1. iptables -A INPUT -m mark --mark 0x10/0x10 -j NFQUEUE --queue-balance 0:1 --queue-cpu-fanout --queue-bypass
2.iptables -nL INPUT | tail -1

Actual results:

NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x10/0x10 NFQUEUE balance 0:1 bypass
(queue-cpu-fanout is missing)


Expected results:

NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x10/0x10 NFQUEUE balance 0:1 bypass cpu-fanout


Additional info:
Comment 2 Phil Sutter 2020-06-29 14:30:31 UTC 
Hi Filippo,

Thanks for the report!

Trivial upstream commit to backport:

commit d1555a0906e35ba8d170613d5a43da64e527dbe1
Author: Shivani Bhardwaj <shivanib134>
Date:   Thu Apr 14 20:55:58 2016 +0530

    extensions: libxt_NFQUEUE: Fix bug with order of fanout and bypass
    
    NFQUEUE had a bug with the ordering of fanout and bypass options which
    was arising due to same and odd values for flags and bypass when used
    together. Because of this, during bitwise ANDing of flags and
    NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
    NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
    whenever it was used before bypass because then flags would be 1.
    
    Before this patch,
    
    $ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    NFQUEUE    tcp  --  anywhere             anywhere             tcp spt:http NFQUEUE balance 0:3 bypass
    
    After this patch,
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    NFQUEUE    tcp  --  anywhere             anywhere             tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout
    
    Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
    
    Suggested-by: Pablo Neira Ayuso <pablo>
    Signed-off-by: Shivani Bhardwaj <shivanib134>
    Signed-off-by: Pablo Neira Ayuso <pablo>

Tomas, please consider this ticket for qa_ack+.
Comment 5 Phil Sutter 2020-06-29 15:49:42 UTC 
Filippo,

As we are pretty late in RHEL7.9 release phase, there is some resistance to
accepting this bug for the release. Are you OK with this being a known issue in
RHEL7 and the fact that RHEL8 is not affected? Sorting the arguments passed to
NFQUEUE target allow to work around the bug.

Cheers, Phil
Comment 6 Filippo Carletti 2020-06-29 16:13:11 UTC 
Fine with me.
I've already worked around the problem passing the queue-cpu-fanout last.
Users of shorewall will be affected by the bug, I've notified them:
https://sourceforge.net/p/shorewall/mailman/message/37049018/

Thank you.
Comment 7 Phil Sutter 2020-06-29 17:02:56 UTC 
Hi Filippo,

(In reply to Filippo Carletti from comment #6)
> Fine with me.
> I've already worked around the problem passing the queue-cpu-fanout last.
> Users of shorewall will be affected by the bug, I've notified them:
> https://sourceforge.net/p/shorewall/mailman/message/37049018/

Thanks for notifying Shorewall developers.
Note You need to log in before you can comment on or make changes to this bug.