Bug 1930723 - regression: arbitrary ipv6 mask not supported anymore
Summary: regression: arbitrary ipv6 mask not supported anymore
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iptables
Version: 8.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.5
Assignee: Phil Sutter
QA Contact: Štěpán Němec
Depends On:
TreeView+ depends on / blocked
Reported: 2021-02-19 13:02 UTC by Enrico Scholz
Modified: 2021-11-10 09:44 UTC (History)
6 users (show)

Fixed In Version: iptables-1.8.4-18.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-11-09 19:54:29 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4468 0 None None None 2021-11-09 19:54:40 UTC

Description Enrico Scholz 2021-02-19 13:02:18 UTC
Description of problem:

Beginning with kernel-4.18.0-193.19.1.el8_2, iptables rejects complex ipv6 netmasks.  Previous kernels (e.g. kernel-4.18.0-193.14.1.el8_2) and recent upstream kernels (e.g. kernel-5.10.11-200.fc33.x86_64) accept such masks.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. ip6tables -I INPUT 1 -s  ::/::0:ffff:0:0

Actual results:

ip6tables v1.8.4 (nf_tables):  RULE_INSERT failed (Invalid argument): rule in chain INPUT

Expected results:

added to chain and visible like

# ip6tables -L INPUT -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97 17197            all      *      *       ::/::ffff:    ::/0

Comment 1 Phil Sutter 2021-02-19 17:02:15 UTC
Thanks for the report!
This is a userspace bug, so kernel is unrelated. Downgrading iptables RPM (if
available) should avoid it even in newer kernels.

Fix sent upstream: https://lore.kernel.org/netfilter-devel/20210219165726.20986-1-phil@nwl.cc/T/#u

Comment 2 Phil Sutter 2021-02-19 17:39:12 UTC
iptables-translate is problematic, too:

# iptables-translate -A FORWARD -s
nft add rule ip filter FORWARD ip saddr counter

# nft add rule ip filter FORWARD ip saddr counter
Error: syntax error, unexpected string, expecting number
add rule ip filter FORWARD ip saddr counter

Comment 3 Phil Sutter 2021-03-03 14:48:25 UTC
Fix for xtables-translate also submitted upstream:

Comment 4 Phil Sutter 2021-05-18 14:39:53 UTC
Upstream commits to backport:

commit 330f5df03ad589b46865ceedf2a54cf10a4225ba
Author: Phil Sutter <phil>
Date:   Fri Feb 19 16:54:57 2021 +0100

    nft: Fix bitwise expression avoidance detection
    Byte-boundary prefix detection was too sloppy: Any data following the
    first zero-byte was ignored. Add a follow-up loop making sure there are
    no stray bits in the designated host part.
    Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
    Signed-off-by: Phil Sutter <phil>

commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae
Author: Phil Sutter <phil>
Date:   Tue Mar 2 14:50:07 2021 +0100

    xtables-translate: Fix translation of odd netmasks
    Iptables supports netmasks which are not prefixes to match on (or
    ignore) arbitrary bits in an address. Yet nftables' prefix notation is
    available for real prefixes only, so translation is not as trivial -
    print bitmask syntax for those cases.
    Signed-off-by: Phil Sutter <phil>

Comment 14 errata-xmlrpc 2021-11-09 19:54:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iptables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.