<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - including list ruleset in a transaction leads to coredump"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1500">1500</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>including list ruleset in a transaction leads to coredump
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>arturo@netfilter.org
</td>
</tr></table>
<p>
<div>
<pre>Original bug report in the Debian bug tracker:
<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982576">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982576</a>
NOTE: to easily test a nft firewall in isolation, create a dummy netns:
sudo ip netns add test
sudo ip netns exec test nft --file test.nft
This minimal ruleset causes a core dump:
#!/usr/sbin/nft --file
# This is like "flush ruleset" except only flushes THIS ruleset, not ALL
rulesets.
# In particular, it leaves the dynamic sshguard/fail2ban deny lists
untouched.
add table A # idempotent
delete table A # not idempotent
table A {
chain B {
tcp dport {1,2} accept
}
}
list ruleset
Commenting out "list ruleset" prevents the core dump.
Having done so, a subsequent "nft list ruleset" works fine.
Putting "list ruleset" at the bottom of the ruleset routinely prints
wrong output (see below), but this is the first time I've seen it
disable the entire firewall!
On buster-backports (nftables 0.9.6-1~bpo10+1),
the same ruleset does NOT trigger a segfault.
Instead it prints this output:
table ip A {
}
And a subsequent call to "nft list ruleset" prints this output:
table ip A {
chain B {
tcp dport { 1, 2 } accept
}
}
The core dump looks like this (sorry, I don't have -dbg set up):
cyber@light:~$ sudo coredumpctl info 9427
PID: 9427 (nft)
UID: 0 (root)
GID: 0 (root)
Signal: 11 (SEGV)
Timestamp: Fri 2021-02-12 14:00:58 AEDT (4min 4s ago)
Command Line: nft -f -
Executable: /usr/sbin/nft
Control Group: /user.slice/user-0.slice/session-15.scope
Unit: session-15.scope
Slice: user-0.slice
Session: 15
Owner UID: 0 (root)
Boot ID: 9307dbd17f1e4dd99fda1b1eda36576e
Machine ID: d18f6dfeb20d4f4ca40a61f4553e9c27
Hostname: light
Storage:
/var/lib/systemd/coredump/core.nft.0.9307dbd17f1e4dd99fda1b1eda36576e.9427.1613098858000000.zst
Message: Process 9427 (nft) of user 0 dumped core.
Stack trace of thread 9427:
#0 0x00007fc038d1b85c n/a (libnftables.so.1 + 0x2485c)
#1 0x00007fc038d116d2 n/a (libnftables.so.1 + 0x1a6d2)
#2 0x00007fc038d13097 n/a (libnftables.so.1 + 0x1c097)
#3 0x00007fc038d13bf7 n/a (libnftables.so.1 + 0x1cbf7)
#4 0x00007fc038d451ef n/a (libnftables.so.1 + 0x4e1ef)
#5 0x00007fc038d45e18 nft_run_cmd_from_filename
(libnftables.so.1 + 0x4ee18)
#6 0x000055a94b6859f6 n/a (nft + 0x29f6)
#7 0x00007fc038b1fd0a __libc_start_main (libc.so.6 +
0x26d0a)
#8 0x000055a94b685a8a n/a (nft + 0x2a8a)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>