[Bug 1282] New: SIGSEGV on loading tables
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Oct 16 23:47:45 CEST 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1282
Bug ID: 1282
Summary: SIGSEGV on loading tables
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: pawel.krawczyk at hush.com
Created attachment 549
--> https://bugzilla.netfilter.org/attachment.cgi?id=549&action=edit
strace with kernel response
The following configuration crashes nftables. I run "nft -e -f main.conf" and
nft crashes, apparently on response from kernel (strace attached). When I run
without -e option it just silently fails.
#!/usr/sbin/nft -f
add table inet main
add set inet main tcp_public { type inet_service; }
add set inet main udp_public { type inet_service; }
add set inet main udp_trusted { type inet_service; }
add set inet main tcp_trusted { type inet_service; }
add set inet main blacklist { type ipv4_addr; flags interval; }
add set inet main ossec4 { type ipv4_addr; }
add set inet main ossec6 { type ipv6_addr; }
add set inet main trusted6 { type ipv6_addr; flags interval; }
add set inet main trusted4 { type ipv4_addr; }
add element inet main tcp_public { ssh }
add element inet main udp_trusted { ntp }
# otto delegated_ipv6
add element inet main trusted6 { 2a01:4f8:13b:29a3::/64 }
# asus delegated_ipv6
add element inet main trusted6 { 2a02:390:79ef::/48 }
# worker delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:6d6c::/64 }
# worker2 delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:76dd::/64 }
# nadia ansible_default_ipv6
add element inet main trusted6 { 2607:fcd0:0:33:1234:1234:1201:f7 }
# tyler delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:7d3::/64 }
# ubuntu ansible_default_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:45c1::1 }
add element inet main trusted4 { 94.130.162.156 }
add element inet main trusted4 { 91.135.7.108 }
add element inet main trusted4 { 159.69.148.50 }
add element inet main trusted4 { 159.69.156.79 }
add element inet main trusted4 { 98.143.148.171 }
add element inet main trusted4 { 159.69.33.57 }
add element inet main trusted4 { 159.69.146.174 }
chain inet main input {
type filter hook input priority 50; policy drop
iifname lo accept
ip6 saddr @ossec6 ct state new counter log prefix "OSSEC6 " drop
ip saddr @ossec4 ct state new counter log prefix "OSSEC4 " drop
ip saddr @blacklist tcp dport ssh ct state new counter log prefix
"BLACKLIST " drop
tcp dport @tcp_public ct state new counter accept
udp dport @udp_public ct state new counter accept
ct state established,related counter accept
ip protocol icmp counter accept
ip6 nexthdr ipv6-icmp accept
ip saddr @trusted4 ip protocol esp ct state new counter accept
ip saddr @trusted4 tcp dport @tcp_trusted ct state new counter accept
ip saddr @trusted4 udp dport @udp_trusted ct state new counter accept
ip6 saddr @trusted6 ip6 nexthdr esp counter accept
ip6 saddr @trusted6 tcp dport @tcp_trusted ct state new counter accept
ip6 saddr @trusted6 udp dport @udp_trusted ct state new counter accept
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181016/0bbb95f3/attachment.html>
More information about the netfilter-buglog
mailing list