Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/28/19 11:26 AM, Arturo Borrero Gonzalez wrote: > On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote: >> On 5/25/19 6:49 PM, Thomas Lamprecht wrote: >>> Package: iptables >>> Version: 1.8.2-4 >>> Severity: grave >>> File: /usr/sbin/xtables-nft-multi >>> Justification: renders package unusable by segfaulting on usage >>> >>> Reproducer: >>> # cat simple-segv-table >>> *filter >>> :NEW-OUTPUT - [0:0] >>> -A OUTPUT -j NEW-OUTPUT >>> -F NEW-OUTPUT >>> -A NEW-OUTPUT -j ACCEPT >>> COMMIT >>> >>> # iptables ./simple-segv-table >>> Segmentation fault >>> >>> # dmesg | tail -1 >>> [12860.813350] traps: iptables-restor[19173] general protection >>> ip:7f4894682793 sp:7ffcedc177d0 error:0 in >>> libnftnl.so.11.0.0[7f4894677000+17000] >>> >>> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf >>> "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) >>> nftnl_batch_is_supported >>> ??:? >>> >> >> I can reproduce this. >> >> I'm already looking for a fix. >> > > This should be fixed in iptables 1.8.3, which just got released. > Yes, I can confirm, it works again with iptables 1.8.3-1~exp1 and libnftnl 1.1.3-1~exp1. Much thanks for the quick response!
Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote: > On 5/25/19 6:49 PM, Thomas Lamprecht wrote: >> Package: iptables >> Version: 1.8.2-4 >> Severity: grave >> File: /usr/sbin/xtables-nft-multi >> Justification: renders package unusable by segfaulting on usage >> >> Reproducer: >> # cat simple-segv-table >> *filter >> :NEW-OUTPUT - [0:0] >> -A OUTPUT -j NEW-OUTPUT >> -F NEW-OUTPUT >> -A NEW-OUTPUT -j ACCEPT >> COMMIT >> >> # iptables ./simple-segv-table >> Segmentation fault >> >> # dmesg | tail -1 >> [12860.813350] traps: iptables-restor[19173] general protection >> ip:7f4894682793 sp:7ffcedc177d0 error:0 in >> libnftnl.so.11.0.0[7f4894677000+17000] >> >> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf >> "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) >> nftnl_batch_is_supported >> ??:? >> > > I can reproduce this. > > I'm already looking for a fix. > This should be fixed in iptables 1.8.3, which just got released.
Bug#929527: [pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
On 5/25/19 6:49 PM, Thomas Lamprecht wrote: > Package: iptables > Version: 1.8.2-4 > Severity: grave > File: /usr/sbin/xtables-nft-multi > Justification: renders package unusable by segfaulting on usage > > Reproducer: > # cat simple-segv-table > *filter > :NEW-OUTPUT - [0:0] > -A OUTPUT -j NEW-OUTPUT > -F NEW-OUTPUT > -A NEW-OUTPUT -j ACCEPT > COMMIT > > # iptables ./simple-segv-table > Segmentation fault > > # dmesg | tail -1 > [12860.813350] traps: iptables-restor[19173] general protection > ip:7f4894682793 sp:7ffcedc177d0 error:0 in > libnftnl.so.11.0.0[7f4894677000+17000] > > # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf > "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) > nftnl_batch_is_supported > ??:? > I can reproduce this. I'm already looking for a fix.
