Bug#863518: nftables: "workstation" example breaks alternate keyboard layout in gdm

[Arturo Borrero Gonzalez]

Control: severity -1 normal

On 28 May 2017 at 00:54, Harlan Lieberman-Berg
 wrote:
>
> Bizarrely, the quite simple "workstation" example causes the language picker 
> in
> gdm3 to disappear and the default layout to switch back to qwerty.  As far as 
> I
> can tell this doesn't happen on the next boot, but rather a couple of boots
> later.
>
> Disabling the nftables ruleset and rebooting fixes the problem completely.
>
> I'm not sure whether this is an nftables bug or a gdm bug, but I'm putting it
> here as similar iptables rules don't cause this behavior.
>

Hi,

I've been using this example ruleset for years now, with no issues.
The example ruleset isn't buggy. Generally, if a machine is
misbehaving after loading a firewall ruleset, it usually means that
the ruleset policy is wrong for your environment/configuration. This
is highly possible, and that's why the file is just an example: you
will probably need to tune the ruleset or the rest of the
configuration of your machine.

Regarding the 'uninterruptable sleep', the nft command line interface
tool (what the nftables package contains) is by no means intended to
interfere with kernel ability to send signals to other running process
(i.e. to interrupt others processes). No code is included in this
package. How could a bug in the nftables CLI tool led to chrome to
hang?

So your problem is likely in another place. Probably the kernel. Did
you check 'dmesg' after the issue happens? Perhaps you are hitting an
oops related to the network stack. The strace you attached shows that
nftables hangs when trying to talk to the netlink subsystem.

A nfnetlink/nf_tables kernel bug is indeed more likely, but then this
bug belongs to the linux package.

To summarise, this is my opinion on the possibilities of this bugs:
* configuration issue in your machine
* linux kernel bug

I'm Lowering the severity right now because of this.

Bug#863518: nftables: "workstation" example breaks alternate keyboard layout in gdm

[Harlan Lieberman-Berg]

Package: nftables
Version: 0.7-1
Severity: important

Dear Maintainer,

Bizarrely, the quite simple "workstation" example causes the language picker in
gdm3 to disappear and the default layout to switch back to qwerty.  As far as I
can tell this doesn't happen on the next boot, but rather a couple of boots
later.

Disabling the nftables ruleset and rebooting fixes the problem completely.

I'm not sure whether this is an nftables bug or a gdm bug, but I'm putting it
here as similar iptables rules don't cause this behavior.



-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg 1.18.24
ii  init-system-helpers  1.48
ii  libc62.24-10
ii  libgmp10 2:6.1.2+dfsg-1
ii  libmnl0  1.0.4-2
ii  libnftnl41.0.7-1
ii  libreadline7 7.0-3
ii  libxtables12 1.6.0+snapshot20161117-6

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  
nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}


-- no debconf information