Re: [iptables PATCH] iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode

From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>, Jan Engelhardt <jengelh@inai.de>,
	Erik Skultety <eskultet@redhat.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH] iptables: xshared: Ouptut '--' in the opt field in ipv6's fake mode
Date: Sat, 23 Jul 2022 11:47:56 +0200	[thread overview]
Message-ID: <YtvDzOxd1/eEMaFo@orbyte.nwl.cc> (raw)
In-Reply-To: <YtgpJ9FNZmmuniLV@nautilus.home.lan>

Hi,

On Wed, Jul 20, 2022 at 06:11:19PM +0200, Erik Skultety wrote:
[...]
> Hmm, the only reason why I submitted this change is because our libvirt test
> suite suddenly started failing on CentOS Stream 9 and only on CS9. Now, the
> test suite is flawed in its own way checking libvirt actions against iptables
> CLI output (yes, very fragile), but at the time the tests were written there
> essentially wasn't a programatic way of checking the changes like we could do
> today with the nftables library and its JSON formatter.
> So I investigated what's changed on CentOS Stream 9 compared to CS8 or Fedora
> 35/36 and it turned out that CS9 ships iptables-nft 1.8.8 while e.g. Fedora 36
> ships 1.8.7 (so we're bound to failures there as well in the future).
> 
> Let me describe the output difference in between the 2 versions of iptables:
> 
> < v1.8.8
> # ip6tables -L FI-tck-7081731
> Chain FI-tck-7081731 (1 references)
> target     prot opt source               destination
> RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f         MAC01:02:03:04:05:06 DSCP match 0x02 ipv6-icmptype 12 code 11 ctstate NEW,ESTABLISHED
>     *** NOTE ^^HERE ***
> 
> >= v1.8.8
> ip6tables -L FI-tck-7081731
> Chain FI-tck-7081731 (1 references)
> target     prot opt source               destination
> RETURN     ipv6-icmp    f:e:d::c:b:a/127     a:b:c::d:e:f         MAC01:02:03:04:05:06 DSCP match 0x02 ipv6-icmptype 12 code 11 ctstate NEW,ESTABLISHED
>       *** NOTE ^^HERE ***
> 
> If my detective work was correct it was caused by commit
> b6196c7504d4d41827cea86c167926125cdbf1f3 which swapped the order of the
> protocol keys in the 'xtables_chain_protos'.

Yes, the goal was to avoid changes in output given typical /etc/protocol
contents - it prefers "ipv6-icmp" over "icmpv6" for protocol 58 at least
on my systems.

I would suggest to not rely upon human-readable names for protocol
numbers, but in fact there's no way out: iptables consolidates its
internal protocol names list even if --numeric was given.

Another bug I found while playing around is this:

| # iptables -A FORWARD -p icmpv6
| # iptables -vnL FORWARD
| Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|  pkts bytes target     prot opt in     out     source               destination
|     0     0            ipv6-icmp--  *      *       0.0.0.0/0            0.0.0.0/0

print_rule_details() does not append a space after the protocol name if it is
longer or equal to five characters.

Both bugs seem to exist since day 1, I'm still tempted to fix them, i.e.:

- Print protocol numbers with --numeric
- Adjust the protocol format string from "%-5s" to "%-4s " for protocol
  names and from "%-5hu" to "%-4hu " for protocol numbers to force a
  single white space

Objections anyone?

Thanks, Phil