Ubuntu
linux package

linux-image-lpia needs CONFIG_NETFILTER_XT_MATCH_RECENT

Bug #355291 reported by Jamie Strandboge
2
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Brad Figg
Ubuntu ubuntu-9.04
Jaunty
Fix Released
High
Brad Figg
Ubuntu ubuntu-9.04

Bug Description

The 'recent' module of iptables is broken on lpia because the kernel is compiled without CONFIG_NETFILTER_XT_MATCH_RECENT. This is a regression over Intrepid:

$ grep RECENT ./config-2.6.2*
./config-2.6.27-4-lpia:CONFIG_IP_NF_MATCH_RECENT=m
./config-2.6.28-11-lpia:# CONFIG_NETFILTER_XT_MATCH_RECENT is not set

$ cat /proc/version_signature
Ubuntu 2.6.28-11.40-lpia
$ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables: No chain/target/match by that name

Ufw uses this module when using the LIMIT command, which causes the firewall to not load on boot due to iptables-restore failing. Ufw users are only affected when using LIMIT rules.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking importance as High as this will have security implications for users upgrading from Intrepid and because it is a clear regression.

Changed in linux (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-9.04
status: New → Triaged
tags: added: regression-potential
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I compared CONFIG_NETFILTER* on amd64 and lpia and noticed:
$ diff -Naur /tmp/lpia /tmp/amd64
--- /tmp/lpia 2009-04-05 08:30:59.000000000 -0500
+++ /tmp/amd64 2009-04-05 08:29:18.000000000 -0500
@@ -4,7 +4,7 @@
 CONFIG_NETFILTER_NETLINK=m
 CONFIG_NETFILTER_NETLINK_LOG=m
 CONFIG_NETFILTER_NETLINK_QUEUE=m
-# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_TPROXY=m
 CONFIG_NETFILTER_XTABLES=m
 CONFIG_NETFILTER_XT_MATCH_COMMENT=m
 CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
@@ -29,8 +29,10 @@
 CONFIG_NETFILTER_XT_MATCH_QUOTA=m
 CONFIG_NETFILTER_XT_MATCH_RATEEST=m
 CONFIG_NETFILTER_XT_MATCH_REALM=m
-# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_RECENT=m
+# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
 CONFIG_NETFILTER_XT_MATCH_SCTP=m
+CONFIG_NETFILTER_XT_MATCH_SOCKET=m
 CONFIG_NETFILTER_XT_MATCH_STATE=m
 CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
 CONFIG_NETFILTER_XT_MATCH_STRING=m
@@ -49,4 +51,5 @@
 CONFIG_NETFILTER_XT_TARGET_SECMARK=m
 CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+CONFIG_NETFILTER_XT_TARGET_TPROXY=m
 CONFIG_NETFILTER_XT_TARGET_TRACE=m

While I believe CONFIG_NETFILTER_XT_MATCH_RECENT is all that is needed for this bug to be resolved, it is likely a good idea to have CONFIG_NETFILTER* be the same for all kernels.

Steve Beattie (sbeattie)
Changed in linux (Ubuntu Jaunty):
assignee: nobody → canonical-kernel-team
Brad Figg (brad-figg)
Changed in linux (Ubuntu Jaunty):
assignee: canonical-kernel-team → brad-figg
status: Triaged → In Progress
Revision history for this message
Tim Gardner (timg-tpi) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=commit;h=4db48e78ebd6201fd8921e083b68eb0a190b7f76

Changed in linux (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-11.41

---------------
linux (2.6.28-11.41) jaunty; urgency=low

  [ Amit Kucheria ]

  * ixp4xx: Enabled TCP SYN_COOKIES
    - LP: #346378

  [ Brad Figg ]

  * Change LPIA configuration to compile with CONFIG_NETFILTER_XT_MATCH_RECENT
    - LP: #355291

  [ Kay Sievers ]

  * SAUCE: driver core: allow non-root users to listen to uevents
    - LP: #357124

  [ Manoj Iyer ]

  * SAUCE: Added quirk to recognize GE0301 3G modem as an interface.
    - LP: #348861

  [ Tim Gardner ]

  * Revert "SAUCE: [i915] allocate MCHBAR space & enable if necessary"
    Appears to cause hard locks in some cases.
    - LP: #349314

  [ Trond Myklebust ]

  * SAUCE: NFS: Fix the notifications when renaming onto an existing file
    - LP: #224642

  [ Upstream Kernel Changes ]

  * USB: option: add QUANTA HSDPA Data Card device ids
    - LP: #353321
  * hwmon: (abituguru3) Match partial DMI board name strings
    - LP: #298798
  * zd1211rw: adding Sitecom WL-603 (0df6:0036) to the USB id list
    - LP: #339631
  * USB: unusual dev for Option N.V. ZeroCD modems
    - LP: #348861

 -- Tim Gardner <email address hidden> Sat, 04 Apr 2009 08:42:14 -0600

Changed in linux (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.