<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - xtables-monitor --trace segfaults running inside a container"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1476">1476</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>xtables-monitor --trace segfaults running inside a container
</td>
</tr>
<tr>
<th>Product</th>
<td>bugzilla
</td>
</tr>
<tr>
<th>Version</th>
<td>other
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>netfilter bugzilla
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>antonio.ojea.garcia@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=610" name="attach_610" title="xtrace-monitor coredump">attachment 610</a> <a href="attachment.cgi?id=610&action=edit" title="xtrace-monitor coredump">[details]</a></span>
xtrace-monitor coredump
Server: CentOS Linux release 8.2.2004 (Core) iptables v1.8.4 (nf_tables)
docker-ce-19.03.13-3.el7.x86_64
docker-ce-cli-19.03.13-3.el7.x86_64
kind v0.9.0 <a href="https://github.com/kubernetes-sigs/kind">https://github.com/kubernetes-sigs/kind</a>
I'm running Kubernetes inside containers with KIND, this has several layers of
"virtualization". Docker install iptables rules in the host and the container,
and kubernetes install rules inside the containers only.
I've updated the system recently, and I don't remember if it was using always
nf_tables, but, if I dump the rules in the host and in the container, it always
have the
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
However, the host does not have iptables-legacy-save
iptables-libs-1.8.4-10.el8_2.1.x86_64
iptables-ebtables-1.8.4-10.el8_2.1.x86_64
iptables-1.8.4-10.el8_2.1.x86_64
I've tried to debug some iptables problems inside the container, enabling the
corresponding modules:
modprobe -v ipt_LOG
modprobe -v nf_log_ipv4
,setting the sysctl parameters:
sysctl net.netfilter.nf_log.2=nf_log_ipv4
net.netfilter.nf_log_all_netns=1
and adding the corresponding rules:
iptables-nft -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TRACE udp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TRACE udp -- anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
I ran this in another system to double check, and it was using Fedora 32 that
uses iptables-legacy and it worked, but for this system seems I have to use
xtables-monitor --trace (Thanks to Florian Westphal for the clarification)
When I run xtables-monitor --trace inside the container, after one packets hit
the rules it segfaults.
The kernel logs show traces and the segfault
12658.438467] xtables-monitor[184521]: segfault at 98 ip 0000560c19b67046 sp
00007ffd4f203e40 error 4 in xtables-nft-multi[560c19b5d000+1e000]
[12658.438473] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89
e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96
98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85
[16522.113016] TRACE: nat:PREROUTING:policy:1 IN=veth6f7f5ae7 OUT=
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=10.96.242.56
LEN=37 TOS=0x00 PREC=0x00 TTL=64 ID=28360 DF PROTO=UDP SPT=53378 DPT=80 LEN=17
[16522.113038] TRACE: filter:FORWARD:policy:1 IN=veth6f7f5ae7 OUT=eth0
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4
LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080
LEN=17
[16522.113053] TRACE: nat:POSTROUTING:policy:1 IN=veth6f7f5ae7 OUT=eth0
MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4
LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080
LEN=17
[16522.113098] xtables-monitor[233587]: segfault at 98 ip 000055a8dd8a3046 sp
00007fff8685bba0 error 4 in xtables-nft-multi[55a8dd899000+1e000]
[16522.113103] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89
e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96
98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85
[16522.113185] TRACE: filter:FORWARD:policy:1 IN=eth0 OUT=veth6f7f5ae7
MAC=02:42:ac:13:00:02:02:42:ac:13:00:04:08:00 SRC=172.19.0.4 DST=10.244.2.2
LEN=39 TOS=0x00 PREC=0x00 TTL=63 ID=17515 DF PROTO=UDP SPT=8080 DPT=53378
LEN=19
I think that his is somehow related to a similar bug I've opened some months
ago, this time in Ubuntu
<a class="bz_bug_link
bz_status_NEW "
title="NEW - segfault when using iptables-nft and iptables-legacy inside a container"
href="show_bug.cgi?id=1435">https://bugzilla.netfilter.org/show_bug.cgi?id=1435</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>