<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - SIGSEGV on loading tables"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1282">1282</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>SIGSEGV on loading tables
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Ubuntu
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>pawel.krawczyk@hush.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=549" name="attach_549" title="strace with kernel response">attachment 549</a> <a href="attachment.cgi?id=549&action=edit" title="strace with kernel response">[details]</a></span>
strace with kernel response
The following configuration crashes nftables. I run "nft -e -f main.conf" and
nft crashes, apparently on response from kernel (strace attached). When I run
without -e option it just silently fails.
#!/usr/sbin/nft -f
add table inet main
add set inet main tcp_public { type inet_service; }
add set inet main udp_public { type inet_service; }
add set inet main udp_trusted { type inet_service; }
add set inet main tcp_trusted { type inet_service; }
add set inet main blacklist { type ipv4_addr; flags interval; }
add set inet main ossec4 { type ipv4_addr; }
add set inet main ossec6 { type ipv6_addr; }
add set inet main trusted6 { type ipv6_addr; flags interval; }
add set inet main trusted4 { type ipv4_addr; }
add element inet main tcp_public { ssh }
add element inet main udp_trusted { ntp }
# otto delegated_ipv6
add element inet main trusted6 { 2a01:4f8:13b:29a3::/64 }
# asus delegated_ipv6
add element inet main trusted6 { 2a02:390:79ef::/48 }
# worker delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:6d6c::/64 }
# worker2 delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:76dd::/64 }
# nadia ansible_default_ipv6
add element inet main trusted6 { 2607:fcd0:0:33:1234:1234:1201:f7 }
# tyler delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:7d3::/64 }
# ubuntu ansible_default_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:45c1::1 }
add element inet main trusted4 { 94.130.162.156 }
add element inet main trusted4 { 91.135.7.108 }
add element inet main trusted4 { 159.69.148.50 }
add element inet main trusted4 { 159.69.156.79 }
add element inet main trusted4 { 98.143.148.171 }
add element inet main trusted4 { 159.69.33.57 }
add element inet main trusted4 { 159.69.146.174 }
chain inet main input {
type filter hook input priority 50; policy drop
iifname lo accept
ip6 saddr @ossec6 ct state new counter log prefix "OSSEC6 " drop
ip saddr @ossec4 ct state new counter log prefix "OSSEC4 " drop
ip saddr @blacklist tcp dport ssh ct state new counter log prefix
"BLACKLIST " drop
tcp dport @tcp_public ct state new counter accept
udp dport @udp_public ct state new counter accept
ct state established,related counter accept
ip protocol icmp counter accept
ip6 nexthdr ipv6-icmp accept
ip saddr @trusted4 ip protocol esp ct state new counter accept
ip saddr @trusted4 tcp dport @tcp_trusted ct state new counter accept
ip saddr @trusted4 udp dport @udp_trusted ct state new counter accept
ip6 saddr @trusted6 ip6 nexthdr esp counter accept
ip6 saddr @trusted6 tcp dport @tcp_trusted ct state new counter accept
ip6 saddr @trusted6 udp dport @udp_trusted ct state new counter accept
}</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>