On Fri, Feb 9, 2024 at 9:03 AM Ignat Korchagin <ignat@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Feb 9, 2024 at 12:38 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >
> > Hi,
>
> Thanks for the prompt reply
>
> > On Fri, Feb 09, 2024 at 12:19:54PM +0000, Ignat Korchagin wrote:
> > > Commit 67ee37360d41 ("netfilter: nf_tables: validate NFPROTO_* family") added
> > > some validation of NFPROTO_* families in nftables, but it broke our use case for
> > > xt_bpf module:
> > >
> > > * assuming we have a simple bpf program:
> > >
> > > #include <linux/bpf.h>
> > > #include <bpf/bpf_helpers.h>
> > >
> > > char _license[] SEC("license") = "GPL";
> > >
> > > SEC("socket")
> > > int prog(struct __sk_buff *skb) { return BPF_OK; }
> > >
> > > * we can compile it and pin into bpf FS:
> > > bpftool prog load bpf.o /sys/fs/bpf/test
> > >
> > > * now we want to create a following table
> > >
> > > table inet firewall {
> > > chain input {
> > > type filter hook prerouting priority filter; policy accept;
> > > bpf pinned "/sys/fs/bpf/test" drop
> >
> > This feature does not exist in the tree.
>
> Sorry - should have clarified this. We did indeed patch some userspace
> tools to support easy creation of the above table (so it is presented
> here for clarity) however we don't have any kernel-specific patches
> with respect to this and it is technically possible to craft such a
> table via raw netlink interface.
>
> In fact - I just retested it on a freshly compiled 6.6.16 vanilla
> kernel from a stable branch (with and without commit 67ee37360d41)
> with a small program that does raw netlink messages.
>
> > > }
> > > }
> > >
> > > All above used to work, but now we get EOPNOTSUPP, when creating the table.
> > >
> > > Fix this by allowing NFPROTO_INET for nft_(match/target)_validate()
> >
> > We don't support inet family for iptables.
>
> I've added Jordan Griege (Jordan, please comment) as he is likely more
> competent here than me, but appears that we used it somehow.
> For more context - we encountered this problem on 6.1 and 6.6 stable
> kernels (when commit 67ee37360d41 was backported).
I'm only so familiar with the kernel side of nftables, but I believe we are
indeed using the nftables API. The netlink messages we send to create an xt_bpf
rule in an inet table use the NFNL_SUBSYS_NFTABLES type in the netlink message
header. It's my understanding that the nftables API is capable of creating
xtables matches, thought it doesn't seem to be a goal of the nft program to
support all of them.
As Ignat said, we aren't asking for the nft program to support this case, but
it seems like a breaking change to other users of the nftables API. Am I
missing some detail of the way that the iptables and nftables systems are
separated in the kernel?
Thanks,
Jordan
