[Bug 1206] New: segfault when snat map rule has been added

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Dec 25 19:27:21 CET 2017 

https://bugzilla.netfilter.org/show_bug.cgi?id=1206

            Bug ID: 1206
           Summary: segfault when snat map rule has been added
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: cho at solveit.dk

System information:
    System is running on quemu/KVM
    Ubuntu 16.04

    root at fwr01:~# uname -a
    Linux fwr01 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux

    root at fwr01:~# nft -v
    nftables v0.5 (Support Edward Snowden)



What happens:
    The ruleset is able to load the first time, after that nft segfaults when
doing "nft -f /etc/nftables.conf"
    This only happens, when this line is in the ruleset "snat ip saddr map {
10.0.0.5 : 192.168.200.6, 10.0.0.0/24 : 192.168.200.7 }"
    If a ruleset with the above mentioned line has been loaded then calls after
that will segfault  ex. "nft -f /etc/nftables.conf"  or "nft list ruleset" will
segfault.

gdb backtrace:
    Starting program: /usr/sbin/nft -f /etc/nftables.conf
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [Inferior 1 (process 876) exited normally]
    (gdb) bt
    No stack.
    (gdb) r -f /etc/nftables.conf
    Starting program: /usr/sbin/nft -f /etc/nftables.conf
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7502c34 in __gmpz_sub () from
/usr/lib/x86_64-linux-gnu/libgmp.so.10
    (gdb) bt
    #0  0x00007ffff7502c34 in __gmpz_sub () from
/usr/lib/x86_64-linux-gnu/libgmp.so.10
    #1  0x000000000041a80e in ?? ()
    #2  0x000000000041500c in ?? ()
    #3  0x00000000004076fe in ?? ()
    #4  0x000000000040fb2a in ?? ()
    #5  0x0000000000427ba5 in ?? ()
    #6  0x000000000040652d in ?? ()
    #7  0x000000000040614f in ?? ()
    #8  0x00007ffff7137830 in __libc_start_main (main=0x405e60, argc=3,
argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe658)
        at ../csu/libc-start.c:291
    #9  0x0000000000406429 in ?? ()

Rulesets:

/etc/nftables.conf:
flush ruleset

include "/etc/nftables/setups/peter_client.nft"

table inet filter {
    chain default {
        ct state established,related accept
        ct state invalid drop
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept
        udp dport 53 accept
    }

    chain input {
        type filter hook input priority 0; policy drop;

        # accept any localhost traffic
        iif lo accept

        # Run default setup
        jump default

        # activate the following line to accept common local services
        tcp dport { 22, 80, 443 } ct state new accept
    }

    chain output {
        type filter hook output priority 0; policy drop;
        jump default
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        jump default

        # Run forward chain from peter_client
        jump peter_client_forward
    }
}

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0;
        jump peter_client_prerouting
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        jump peter_client_postrouting
    }
}

/etc/nftables/setups/peter_client.nft:
# Setup NIC
define peter_client_out_nic = ens8

# Define range(s)
define peter_client_int_range = 10.0.0.0/24

# Define machines
define peter_client_int_server01 = 10.0.0.5

# Define external addresses
define peter_client_ext_addr01 = 192.168.200.6
define peter_client_ext_addr02 = 192.168.200.7

table inet filter {
    chain peter_client_in {
        tcp dport http accept
        ip saddr 192.168.2.46 tcp dport ssh accept
    }

    chain peter_client_out {
        tcp dport {http, https} ct state new accept
    }

    chain peter_client_forward {
        ip saddr $peter_client_int_range jump peter_client_out
        ip daddr $peter_client_int_range jump peter_client_in
    }
}

table ip nat {
    chain peter_client_prerouting {
        dnat ip daddr map { $peter_client_ext_addr01 :
$peter_client_int_server01 } 
    }
    chain peter_client_postrouting {
        snat ip saddr map { 10.0.0.5 : 192.168.200.7, 10.0.0.0/24 :
192.168.200.6 }
    }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171225/a99e1b9e/attachment.html>

More information about the netfilter-buglog mailing list