Closed arnova closed 5 years ago
@abelbeck : Lonnie, also packet defragmentation is bugged in (some versions of) nftables. Not so long ago we already had a discussion about packet defragmentation. I think it's safe if we turn this off by default, right?
@arnova The problem with the -f
option was with the real iptables 1.8.1, fixed in 1.8.2. See Issue #53 .
I'm not yet convinced we have an issue with handling packet invalid-fragments.
Hooking in on VALID_CHK
and OUTPUT
seems correct, possibly only OUTPUT
to protect other devices.
I vote holding off on this change until more research is done to justify a change.
@abelbeck : Yes, it also caused a problem with the "real" iptables, but with nftables emulation it's also broken. As it turns out -f converts to "ip frag-off & 65311 != 0", where it should (just) be "ip frag-off != 0". So yes, another problem in nftables. However, the reporter says that with this fix (and the others already in mainline) all problems he previously had are gone.
However, the reporter says that with this fix (and the others already in mainline) all problems he previously had are gone.
Good to hear.
@arnova Short answer, I think we can remove all -f -j DROP
because of our connection tracking.
Details... looking at:
-A VALID_CHK -m conntrack --ctstate INVALID -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
-A VALID_CHK -f -j DROP
I don't see how a -f
packet could match after the -m conntrack --ctstate INVALID
rule, do you ?
I looked at the kernel source for insight: https://elixir.bootlin.com/linux/v3.16.62/source/net/netfilter/xt_conntrack.c#L181 https://elixir.bootlin.com/linux/v3.16.62/source/net/netfilter/xt_state.c#L32 basically if a packet is not added to the conntrack list it is invalid.
The only other occurrence is with -A OUTPUT -f -j DROP
which would require malicious code running on the AIF box to generate outbound invalid-fragment packets, agree ?
…it to a single place for INPUT, FORWARD and OUTPUT