[Bug 1476] New: xtables-monitor --trace segfaults running inside a container

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Oct 14 16:35:56 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1476

            Bug ID: 1476
           Summary: xtables-monitor --trace segfaults running inside a
                    container
           Product: bugzilla
           Version: other
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: netfilter bugzilla
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: antonio.ojea.garcia at gmail.com

Created attachment 610
  --> https://bugzilla.netfilter.org/attachment.cgi?id=610&action=edit
xtrace-monitor coredump

Server: CentOS Linux release 8.2.2004 (Core) iptables v1.8.4 (nf_tables)
docker-ce-19.03.13-3.el7.x86_64
docker-ce-cli-19.03.13-3.el7.x86_64
kind v0.9.0 https://github.com/kubernetes-sigs/kind

I'm running Kubernetes inside containers with KIND, this has several layers of
"virtualization". Docker install iptables rules in the host and the container,
and kubernetes install rules inside the containers only.

I've updated the system recently, and I don't remember if it was using always
nf_tables, but, if I dump the rules in the host and in the container, it always
have the 
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

However, the host does not have iptables-legacy-save

iptables-libs-1.8.4-10.el8_2.1.x86_64
iptables-ebtables-1.8.4-10.el8_2.1.x86_64
iptables-1.8.4-10.el8_2.1.x86_64

I've tried to debug some iptables problems inside the container, enabling the
corresponding modules:

modprobe -v ipt_LOG
modprobe -v nf_log_ipv4

,setting the sysctl parameters:

sysctl net.netfilter.nf_log.2=nf_log_ipv4
net.netfilter.nf_log_all_netns=1

and adding the corresponding rules:

iptables-nft -L -t raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
TRACE      udp  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
TRACE      udp  --  anywhere             anywhere            
# Warning: iptables-legacy tables present, use iptables-legacy to see them

I ran this in another system to double check, and it was using Fedora 32 that
uses iptables-legacy and it worked, but for this system seems I have to use
xtables-monitor --trace (Thanks to Florian Westphal for the clarification)

When I run xtables-monitor --trace inside the container, after one packets hit
the rules it segfaults. 


The kernel logs show traces and the segfault

12658.438467] xtables-monitor[184521]: segfault at 98 ip 0000560c19b67046 sp
00007ffd4f203e40 error 4 in xtables-nft-multi[560c19b5d000+1e000]
[12658.438473] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89
e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96
98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85
[16522.113016] TRACE: nat:PREROUTING:policy:1 IN=veth6f7f5ae7 OUT=
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=10.96.242.56
LEN=37 TOS=0x00 PREC=0x00 TTL=64 ID=28360 DF PROTO=UDP SPT=53378 DPT=80 LEN=17 
[16522.113038] TRACE: filter:FORWARD:policy:1 IN=veth6f7f5ae7 OUT=eth0
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4
LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080
LEN=17 
[16522.113053] TRACE: nat:POSTROUTING:policy:1 IN=veth6f7f5ae7 OUT=eth0
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4
LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080
LEN=17 
[16522.113098] xtables-monitor[233587]: segfault at 98 ip 000055a8dd8a3046 sp
00007fff8685bba0 error 4 in xtables-nft-multi[55a8dd899000+1e000]
[16522.113103] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89
e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96
98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85
[16522.113185] TRACE: filter:FORWARD:policy:1 IN=eth0 OUT=veth6f7f5ae7
MAC=02:42:ac:13:00:02:02:42:ac:13:00:04:08:00 SRC=172.19.0.4 DST=10.244.2.2
LEN=39 TOS=0x00 PREC=0x00 TTL=63 ID=17515 DF PROTO=UDP SPT=8080 DPT=53378
LEN=19 



I think that his is somehow related to a similar bug I've opened some months
ago, this time in Ubuntu
https://bugzilla.netfilter.org/show_bug.cgi?id=1435

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201014/39c8b7d5/attachment.html>

More information about the netfilter-buglog mailing list