<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - including list ruleset in a transaction leads to coredump"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1500">1500</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>including list ruleset in a transaction leads to coredump
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Debian GNU/Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>arturo@netfilter.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Original bug report in the Debian bug tracker:
<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982576">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982576</a>

NOTE: to easily test a nft firewall in isolation, create a dummy netns:

    sudo ip netns add test
    sudo ip netns exec test  nft --file test.nft

This minimal ruleset causes a core dump:

    #!/usr/sbin/nft --file
    # This is like "flush ruleset" except only flushes THIS ruleset, not ALL
rulesets.
    # In particular, it leaves the dynamic sshguard/fail2ban deny lists
untouched.
    add table A        # idempotent
    delete table A     # not idempotent
    table A {
        chain B {
            tcp dport {1,2}  accept
        }
    }
    list ruleset

Commenting out "list ruleset" prevents the core dump.
Having done so, a subsequent "nft list ruleset" works fine.

Putting "list ruleset" at the bottom of the ruleset routinely prints
wrong output (see below), but this is the first time I've seen it
disable the entire firewall!

On buster-backports (nftables 0.9.6-1~bpo10+1),
the same ruleset does NOT trigger a segfault.
Instead it prints this output:

    table ip A {
    }

And a subsequent call to "nft list ruleset" prints this output:

    table ip A {
            chain B {
                    tcp dport { 1, 2 } accept
            }
    }

The core dump looks like this (sorry, I don't have -dbg set up):

    cyber@light:~$ sudo coredumpctl  info 9427
               PID: 9427 (nft)
               UID: 0 (root)
               GID: 0 (root)
            Signal: 11 (SEGV)
         Timestamp: Fri 2021-02-12 14:00:58 AEDT (4min 4s ago)
      Command Line: nft -f -
        Executable: /usr/sbin/nft
     Control Group: /user.slice/user-0.slice/session-15.scope
              Unit: session-15.scope
             Slice: user-0.slice
           Session: 15
         Owner UID: 0 (root)
           Boot ID: 9307dbd17f1e4dd99fda1b1eda36576e
        Machine ID: d18f6dfeb20d4f4ca40a61f4553e9c27
          Hostname: light
           Storage:
/var/lib/systemd/coredump/core.nft.0.9307dbd17f1e4dd99fda1b1eda36576e.9427.1613098858000000.zst
           Message: Process 9427 (nft) of user 0 dumped core.

                    Stack trace of thread 9427:
                    #0  0x00007fc038d1b85c n/a (libnftables.so.1 + 0x2485c)
                    #1  0x00007fc038d116d2 n/a (libnftables.so.1 + 0x1a6d2)
                    #2  0x00007fc038d13097 n/a (libnftables.so.1 + 0x1c097)
                    #3  0x00007fc038d13bf7 n/a (libnftables.so.1 + 0x1cbf7)
                    #4  0x00007fc038d451ef n/a (libnftables.so.1 + 0x4e1ef)
                    #5  0x00007fc038d45e18 nft_run_cmd_from_filename
(libnftables.so.1 + 0x4ee18)
                    #6  0x000055a94b6859f6 n/a (nft + 0x29f6)
                    #7  0x00007fc038b1fd0a __libc_start_main (libc.so.6 +
0x26d0a)
                    #8  0x000055a94b685a8a n/a (nft + 0x2a8a)</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>