Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3861033rdh; Fri, 29 Sep 2023 04:51:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGw6Efxu5Yu00TEtwHeQgqlbif0dHH66hbTKhTzeTCgNKfZUrGSOwuUCu+eZELPxqrNa9Zj X-Received: by 2002:a05:6a20:948c:b0:157:7568:6796 with SMTP id hs12-20020a056a20948c00b0015775686796mr3277037pzb.60.1695988301404; Fri, 29 Sep 2023 04:51:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695988301; cv=none; d=google.com; s=arc-20160816; b=t0zSe2Ftaw9Y5YS10rDnG/ivPX614yKuaSvGCM5t49V0+s3Xm1f0tLKY9Nb5QO90Qh pGVr8TH7UDzaEIM2Q75HjllZ5WPkW2LxHm7FC/Te5psW2JDd0yXffLvTND53SetUCYrs xBYy8iFLejeOyHHHx3b9sfkg2yL6UjDO4og8iZEpQRO9fDXKs5JZghqoqip+vIPK8XNd /yJvpZZSVG/jCujbPEU8aPmNqrKSNR7yslm/HCK1d3Wv4PQjLl3u35ce6oIUNZam+oGf 49lad9HmJKMDeHZ/7SiQMC2zwbMmfGzXwwlmZGlLc+7H0dlC5KO3PyCA5hfdfoE9Csv2 /vQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:reply-to :from:references:cc:to:content-language:subject:user-agent :mime-version:date:message-id; bh=u+c6hfhjn69RHkgkSbrle950JMVQKGbE94bHirpvbYw=; fh=3TG/FzqQYukSVj9zxBS9mnSZOZnGt1SECNyEs7dQqcM=; b=RpT6Ru+b7LiNIFzJTAmt/q3IGBYnifmp9vEH2A9rV6xS+IWmIBzk/bEDDQK2tn/IM0 +1G882FgpAoleXNk57BTB/68fwbwNuNaq/QInmzReZuAwquz91O1XbK2K+QrKQ2FjtyL kN25KHyP9JznmRXr8HmM7x8eXKb8Nh6AMWm6oMC1Dpz9Oorl7m/GIdHZpeB7g6YYZbg9 16JmPQSQ1Ixpxc4fmB8mdLt5NPtB1tvA9kQXpl5GELfPcl2y/eJrCwLR6GapZgjXSdsM lTwhRR67pjmjS5cpfuyFpcqzL/LJWvBG7J/57rXIG76NZclmIK3mqzytwaTfFAKjXxFK uV2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id my11-20020a17090b4c8b00b002777d51e89dsi1538571pjb.128.2023.09.29.04.51.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 04:51:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 1E7F3806822B; Fri, 29 Sep 2023 04:47:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232490AbjI2Lq4 (ORCPT + 99 others); Fri, 29 Sep 2023 07:46:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233069AbjI2Lqo (ORCPT ); Fri, 29 Sep 2023 07:46:44 -0400 Received: from wp530.webpack.hosteurope.de (wp530.webpack.hosteurope.de [80.237.130.52]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE28B1B4; Fri, 29 Sep 2023 04:46:36 -0700 (PDT) Received: from [2a02:8108:8980:2478:8cde:aa2c:f324:937e]; authenticated by wp530.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1qmBx0-00054T-AZ; Fri, 29 Sep 2023 13:46:30 +0200 Message-ID: <89dded30-d250-4b7a-b5a8-b18e3b509bf1@leemhuis.info> Date: Fri, 29 Sep 2023 13:46:29 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Regression: Commit "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable Content-Language: en-US, de-DE To: Florian Westphal , Linux regressions mailing list Cc: Pablo Neira Ayuso , Timo Sigurdsson , kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, sashal@kernel.org, carnil@debian.org, 1051592@bugs.debian.org References: <20230911213750.5B4B663206F5@dd20004.kasserver.com> <20230912102701.GA13516@breakpoint.cc> From: "Linux regression tracking (Thorsten Leemhuis)" Reply-To: Linux regressions mailing list In-Reply-To: <20230912102701.GA13516@breakpoint.cc> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-bounce-key: webpack.hosteurope.de;regressions@leemhuis.info;1695987996;3a87d281; X-HE-SMSGID: 1qmBx0-00054T-AZ X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 29 Sep 2023 04:47:24 -0700 (PDT) On 12.09.23 12:27, Florian Westphal wrote: > Linux regression tracking (Thorsten Leemhuis) wrote: >> On 12.09.23 00:57, Pablo Neira Ayuso wrote: >>> Userspace nftables v1.0.6 generates incorrect bytecode that hits a new >>> kernel check that rejects adding rules to bound chains. The incorrect >>> bytecode adds the chain binding, attach it to the rule and it adds the >>> rules to the chain binding. I have cherry-picked these three patches >>> for nftables v1.0.6 userspace and your ruleset restores fine. >>> [...] >> >> Hmmmm. Well, this sounds like a kernel regression to me that normally >> should be dealt with on the kernel level, as users after updating the >> kernel should never have to update any userspace stuff to continue what >> they have been doing before the kernel update. > > This is a combo of a userspace bug and this new sanity check that > rejects the incorrect ordering (adding rules to the already-bound > anonymous chain). > > nf_tables uses a transaction allor-nothing model, this means that any > error that occurs during a transaction has to be reverse/undo all the > pending changes. This has caused a myriad of bugs already. > > So while this can be theoretically fixed in the kernel I don't see > a sane way to do it. Error unwinding / recovery from deeply nested > errors is already too complex for my taste. > >> Can't the kernel somehow detect the incorrect bytecode and do the right >> thing(tm) somehow? > > Theoretically yes, but I don't feel competent enough to do it, just look > at all the UaF bugs of the past month. Thx for the answer. FWIW, as this was a judgement call I mentioned this in my last regression report to Linus; he didn't reply, so I guess it is -- and will remove this issue from my tracking: #regzbot resolve: can be solved by a nftables userspace update; not nice, but likely best solution in this case #regzbot ignore-activity Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page.