[Bug 1222] New: nft list ruleset – infinite memory use
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Feb 1 13:41:54 CET 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Bug ID: 1222
Summary: nft list ruleset – infinite memory use
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: grawity at gmail.com
When this specific rule is inserted, trying to view it using `nft list ruleset`
causes the nft client to start allocating infinite amounts of RAM:
---
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
---
(The {set} is important – a standalone address doesn't cause this issue.)
nft debug output ends with:
---
...
Evaluate list
list ruleset
^^^^^^^^^^^^^
inet filter input 2
[ ct load l3protocol => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ ct load dst => reg 1 , dir original ]
[ lookup reg 1 set __set0 0x0 ]
[ immediate reg 0 accept ]
<begins eating memory at this point>
---
nftables 0.8.1
libnftnl 1.0.9
linux 4.9.78, 4.13.13
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180201/7dbe4cc2/attachment.html>
More information about the netfilter-buglog
mailing list