<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - iptables-nft -S hangs if not run as root"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1393">1393</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>iptables-nft -S hangs if not run as root
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>iptables over nftable
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>kfm@plushkava.net
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=581" name="attach_581" title="iptables-nft-trace.txt.xz">attachment 581</a> <a href="attachment.cgi?id=581&action=edit" title="iptables-nft-trace.txt.xz">[details]</a></span>
iptables-nft-trace.txt.xz

As per the summary. The steps to reproduce here are to initialize a ruleset:

  printf '%s\n' '*filter' :{INPUT,FORWARD,OUTPUT}' ACCEPT [0:0]' COMMIT |
iptables-nft-restore

Then, to run the following under an ordinary user account:

  timeout 5 strace -o iptables-nft-trace.txt iptables-nft -S

In my case, iptables-nft never exits. That is why I have used GNU timeout to
constrain the execution time and the size of the trace, which would otherwise
grow to enormous proportions.

The machine in question is running Arch Linux, with the following components:

  Linux 5.4.6
  glibc-2.30
  iptables-nft-1.8.3
  libnfnetlink-1.0.1
  libnetfilter_conntrack-1.0.7
  libnfntl-1.1.5
  nftables-0.9.3

The trace is attached.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>