Hide Forgot
Description of problem: Beginning with kernel-4.18.0-193.19.1.el8_2, iptables rejects complex ipv6 netmasks. Previous kernels (e.g. kernel-4.18.0-193.14.1.el8_2) and recent upstream kernels (e.g. kernel-5.10.11-200.fc33.x86_64) accept such masks. Version-Release number of selected component (if applicable): kernel-4.18.0-193.19.1.el8_2 kernel-4.18.0-240.10.1.el8_3.x86_64 How reproducible: 100% Steps to Reproduce: 1. ip6tables -I INPUT 1 -s ::/::0:ffff:0:0 Actual results: ip6tables v1.8.4 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain INPUT Expected results: added to chain and visible like # ip6tables -L INPUT -vn Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 97 17197 all * * ::/::ffff:0.0.0.0 ::/0
Thanks for the report! This is a userspace bug, so kernel is unrelated. Downgrading iptables RPM (if available) should avoid it even in newer kernels. Fix sent upstream: https://lore.kernel.org/netfilter-devel/20210219165726.20986-1-phil@nwl.cc/T/#u
iptables-translate is problematic, too: # iptables-translate -A FORWARD -s 10.11.12.13/255.0.255.0 nft add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter # nft add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter Error: syntax error, unexpected string, expecting number add rule ip filter FORWARD ip saddr 10.0.12.0/255.0.255.0 counter ^^^^^^^^^^^
Fix for xtables-translate also submitted upstream: https://lore.kernel.org/netfilter-devel/20210302143010.3362-1-phil@nwl.cc/
Upstream commits to backport: commit 330f5df03ad589b46865ceedf2a54cf10a4225ba Author: Phil Sutter <phil> Date: Fri Feb 19 16:54:57 2021 +0100 nft: Fix bitwise expression avoidance detection Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <phil> commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae Author: Phil Sutter <phil> Date: Tue Mar 2 14:50:07 2021 +0100 xtables-translate: Fix translation of odd netmasks Iptables supports netmasks which are not prefixes to match on (or ignore) arbitrary bits in an address. Yet nftables' prefix notation is available for real prefixes only, so translation is not as trivial - print bitmask syntax for those cases. Signed-off-by: Phil Sutter <phil>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iptables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4468