Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses #66382

Closed
jdelic opened this issue Apr 16, 2024 · 0 comments · Fixed by #66383
Closed

[BUG] nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses #66382

jdelic opened this issue Apr 16, 2024 · 0 comments · Fixed by #66383
Labels
Bug broken, incorrect, or confusing behavior needs-triage

Comments

@jdelic
Copy link
Contributor

jdelic commented Apr 16, 2024
edited
Loading

Description
Consider the following state:

basics-tcp-out22-send-ipv6:
    nftables.append:
        - table: filter
        - chain: output
        - family: ip6
        - jump: accept
        - destination: '::/0'
        - dport: 22
        - match: state
        - connstate: new
        - proto: tcp
        - save: True

This state would create a nftables rule that allows the box to connect to port 22 on every IPv6 address out there. However, nftables.build_rule creates the following nft call:

nft add rule ip6 filter output ct state { new } ip daddr ::/0 tcp dport { 22 } accept

which leads to the following error:

Error: conflicting protocols specified: ip6 vs ip

Steps to Reproduce the behavior
Spin up an ipv6 enabled box and try to apply the above state.

Expected behavior
The correct command would read:

nft add rule ip6 filter output ct state { new } ip6 daddr ::/0 tcp dport { 22 } accept

Versions Report
I observed this with 3007.0 (Chlorine)
@jdelic jdelic added Bug broken, incorrect, or confusing behavior needs-triage labels Apr 16, 2024
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
51cc19d 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
8098f05 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
c3f19c5 
…ith saddr or daddr
@jdelic jdelic mentioned this issue Apr 16, 2024
Merged
3 tasks
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
884255c 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
8ffc99c 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
2c5d6ff 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
15be35c 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 16, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
116cea3 
…ith saddr or daddr
jdelic added a commit to jdelic/salt that referenced this issue Apr 17, 2024
@jdelic
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
2eedc09 
…ith saddr or daddr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior needs-triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[3006.x] Fix #66382 (nftables): Produce correct ip family for rules with saddr or daddr jdelic/salt
1 participant
@jdelic