** Changed in: linux-bluefield (Ubuntu Focal)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/2006397
Title:
nft_lookup crash when running DDOS attack
Status in linux-bluefield package in Ubuntu:
Invalid
Status in linux-bluefield source package in Focal:
Fix Committed
Bug description:
* Explain the bug
Running DDOS test on tcp port 22 will trigger kernel crash.
* Brief explanation of fixes
Do not update stateful expressions if lookup is inverted
* How to test
Configuration nftables with config file below:
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
jump filter_ssh
}
chain filter_ssh {
tcp dport { 22 } ct state new accept
}
}
* {22}: {} is mandatory to repro
If we don’t add {}, nft_lookup_eval function is never called and kernel crush
isn’t reproduced.
Then apply nft by doing:
# nft -f temp_nftables.conf
Start hping3 from peer:
# hping3 -I {Host Device} -p 22 -d 52 {SmartNIC IP Address} --flood
DPU side will crash with kernel call trace without this fix.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
