Nft(ables) broken?

xnor · January 29, 2022, 6:18pm

I'm on ath79, git master which seems to have switched to nft.

The following rule:
nft add rule inet fw4 mangle_prerouting tcp flags \& \(fin\|syn\|rst\|ack\|ecn\|cwr\) == \(syn\|ecn\|cwr\) ip ecn == 2 ip ecn set 0 counter

results in invalid IP packets with a bogus IPv4 version. Also, this is shown with nft -a list ruleset:

        chain mangle_prerouting { # handle 23
                type filter hook prerouting priority mangle; policy accept;
                tcp flags syn,ecn,cwr / fin,syn,rst,ack,ecn,cwr ip ecn ect0 @nh,0,16 set @nh,0,16 & 0xffff counter packets 0 bytes 0 # handle 258
        }

which makes no sense.

Using @nh,8,8 set @nh,8,8 & 0xFC instead of ecn set 0 results in packets with invalid IPv4 header checksum.

Why is this so broken?

anomeome · January 29, 2022, 6:22pm

FW3->FW4, bunch of pending PRs if building your own.

xnor · January 29, 2022, 6:38pm

Some debug info:

# nft --debug=netlink add rule inet fw4 mangle_prerouting tcp flags \& \(fin\|syn\|rst\|ack\|ecn\|cwr\) == \(syn\|ecn\|cwr\) ip ecn == 2 ip ecn set 0 counter
inet
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x06000000 ]
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0xd7000000 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0xc2000000 ]
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x02000000 ]
  [ payload load 1b @ network header + 1 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x03000000 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x02000000 ]
  [ payload load 2b @ network header + 0 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ]
  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
  [ counter pkts 0 bytes 0 ]

xnor · January 29, 2022, 6:54pm

Thanks but this seems like a nft(ables) issue, not an FW3/4 issue.
I'm also not using iptables or any compatibility scripts, just plain nft to add an nftables rule.

xnor · January 29, 2022, 9:55pm

on ath79 mips (big endian), part of the output of nft --debug=all:

Evaluate binop
add rule ... ip ecn == 2 ip ecn set 0 counter
                         ^^^^^^
@nh,0,16 & 0 ^ not-ect

on a non-openwrt Linux with same nft version, x86:

Evaluate binop
add rule ... ip ecn == 2 ip ecn set 0 counter
                         ^^^^^^
@nh,0,16 & 65532 ^ not-ect

xnor · February 2, 2022, 2:57pm

I've created a netfilter bug, part of it has already been fixed:
https://bugzilla.netfilter.org/show_bug.cgi?id=1581