Re: Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

Yves-Alexis Perez-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 2018-11-05 at 13:08 +0100, Pierre Chifflier wrote:

> Package: iptables
> Version: 1.8.1-2
> Severity: grave
> Tags: security
> Justification: breaks rules, inserts pass-all rules
> X-Debbugs-Cc: [hidden email],
> [hidden email]
>
> Hi,
>
> The debian package for iptables now transparently converts inserted
> rules to nftables, which is great.
>
> However, some keywords are not supported (like the 'policy' keyword for
> IPsec transforms). The bad part is, these rules are inserted
> *without* the matches, which makes in some cases your firewall useless.
>
> For ex:
> # iptables -F
> # iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel
> -o eth0 -j ACCEPT
> # echo $?
> 0
> # nft list ruleset
> <cut>
> chain OUTPUT {
> type filter hook output priority 0; policy accept;
> oifname "eth0"  counter packets 90 bytes 26085 accept
> }
> }
>
> As you can see, the inserted rule allows everything, while the expected
> behavior would be 'only if going through an IPsec tunnel'.
> Even worse: inserting the rule did not fail.
>
> Until the 'ipsec' (or 'secpath') keyword works properly (and supports
> all options), an acceptable behavior would be to reject the rule if one
> or more keywords are not supported by nftables.

Hi all,

actually, I think it would make sense to actually bail out early with and
error if any rule or keyword is unsupported by the nftable backend. I've
noticed the behavior because it was announced in NEWS.Debian (and I have apt-
listchanges) and I assume it'll be put in the Buster release notes, but I
think the executable itself (or maybe the kernel part) shouldn't silently
ignore stuff, because indeed it can open holes in the firewall and break
user/admin expectations.

Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlvhgm8ACgkQ3rYcyPpX
RFvd8AgA61EMEQiHhYmV+5I8DvUCuOaHQkW23pQQeN5jYMc8qE3QW3BX7NDhvOFc
xeKSeft4zc5uzGV4K3UvaD0g3F1rq1FqaSLpUYWxO27B59y5etvMz8x9k+GZn2gh
3ZHOb2PmnwTl3sj99F5gdzTI6aDU/50ceHPC1C+Z0fBL5aXElAcO9tzvxP1oGMr/
u1t3teLPNPuuuM4s32s8IUaiiUvJ3IBAuv4J/h3qzMixWyki+XNq3slrxHGARLL3
KY78QAfu7MkvJ6B3iiMuDzgfRYyYy/PZJl9B4aqX+rmRE4mFKAftGCvFix+0EGBB
EPzws0ExVehsLkOBCgTAj0OQeuVXNA==
=XxmO
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

Arturo Borrero González
Control: forwarded -1 https://bugzilla.netfilter.org/show_bug.cgi?id=1290

Hopefully next upstream release will contain a fix.

Reply | Threaded
Open this post in threaded view
|

Re: Bug#912977: iptables: nftables layer breaks ipsec/policy keyword

Pierre Chifflier-4
On Tue, Nov 06, 2018 at 02:02:06PM +0100, Arturo Borrero Gonzalez wrote:
> Control: forwarded -1 https://bugzilla.netfilter.org/show_bug.cgi?id=1290
>
> Hopefully next upstream release will contain a fix.

Hi,

Thanks Arturo.

After some more testing, it seems the bug would be less severe than it
looks:

- the (iptables) rules seems to work, the nft dump can just not show
  them (which is a bug, but less important)
  This was tested for the policy module, for OUTPUT.

- the iptables rules can be saved and reloaded as usual

- the produced nft ruleset should not be used (for ex to switch to
  nftables), as it will load without error but without the nft_compat
  keywords. This would also be a different bug.

I'm still running some more tests, but I think the severity can be
lowered.

Regards,
Pierre