Due to abuse by spammers, please send an email to bugzilla-account@netfilter.org to request an account to report bugs, sorry for the inconvenience.
Bug 1292 - issue with -f fragment option
Summary: issue with -f fragment option
Status: RESOLVED FIXED
Alias: None
Product: nftables
Classification: Unclassified
Component: iptables-nft (show other bugs)
Version: unspecified
Hardware: x86_64 Debian GNU/Linux
: P5 normal
Assignee: Pablo Neira Ayuso
URL:
Depends on:
Blocks:
 
Reported: 2018-11-11 19:48 CET by Arturo Borrero Gonzalez
Modified: 2018-11-11 22:11 CET (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arturo Borrero Gonzalez 2018-11-11 19:48:19 CET 
From Debian BTS: https://bugs.debian.org/913088

There seems to be some issues with the '-f' option in iptables-nft.
Apparently is not only in the printing code path but probably also in expr generation code. See original bug report in debian for more tests and details.


==== 8< ====
Note the output of iptables-translate:

    iptables-translate -A INPUT -f -j DROP
    nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop

However, if I execute this command:

    iptables -A INPUT -f -j DROP

The following is added (output of 'nft list table filter'):

    table ip filter {
        chain INPUT {
            ...
            ip frag-off & 65311 != 0 counter packets 0 bytes 0 drop
        }
        ...
    }

Note: 65311 (dec) = 0xff1f and not 0x1ffff. Could it be that the byte 
order for the mask is somehow swapped?
==== 8< ====
Comment 1 Florian Westphal 2018-11-11 22:11:57 CET 
(In reply to Arturo Borrero Gonzalez from comment #0)
> Note: 65311 (dec) = 0xff1f and not 0x1ffff. Could it be that the byte 
> order for the mask is somehow swapped?

Yes, i've pushed a fix.
http://git.netfilter.org/iptables/commit/?id=05947c82232e3a3d20f93a1ba18e35e7f4e23671