Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
On Tue, Apr 26, 2016 at 3:58 PM, Lev Stipakovwrote: > Yep, it works fine on Debian 8: > > lev@debi:~$ uname -a > Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) > x86_64 GNU/Linux I would suggest bringing this up with the Debian kernel packagers/maintainers, or doing a git-bisect of the Debian kernel if you are comfortable with that sort of thing. > On 26.04.2016 21:54, Paul Moore wrote: >>> >>> >>> I cannot reproduce it on (one of) previous kernel version: >>> >>>lev@debi7:~$ uname -a >>>Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 >>> GNU/Linux >>> >>>lev@debi7:~$ dpkg -l | grep iptables >>>ii iptables 1.4.14-3.1 >>>ii iptables-persistent0.5.7+deb7u1 >> >> Unfortunately I don't have a Debian system available to test, but have >> you tried reproducing this on a more modern kernel? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
Yep, it works fine on Debian 8: lev@debi:~$ uname -a Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux On 26.04.2016 21:54, Paul Moore wrote: I cannot reproduce it on (one of) previous kernel version: lev@debi7:~$ uname -a Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux lev@debi7:~$ dpkg -l | grep iptables ii iptables 1.4.14-3.1 ii iptables-persistent0.5.7+deb7u1 Unfortunately I don't have a Debian system available to test, but have you tried reproducing this on a more modern kernel? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
Kernel crash dump: [ 217.819774] piix4_smbus :00:07.0: SMBus base address uninitialized - upgrade BIOS or use force_addr=0xaddr [ 218.173782] Error: Driver 'pcspkr' is already registered, aborting... [ 229.433697] BUG: unable to handle kernel paging request at 88021a2fc80b [ 229.524189] IP: [] audit_tg+0xb9/0x15b [xt_AUDIT] [ 229.713702] PGD 1606063 PUD 0 [ 229.714117] Oops: [#1] SMP [ 229.714479] CPU 0 [ 229.714652] Modules linked in: xt_AUDIT parport_pc ppdev lp parport bnep bluetooth rfkill ip6table_filter ip6_tables iptable_filter ip_tables x_tables uinput nfsd nfs nfs_acl auth_rpcgss fscache lockd sunrpc loop crc32c_intel aesni_intel battery ac power_supply pcspkr processor video aes_x86_64 thermal_sys psmouse joydev evdev serio_raw button aes_generic cryptd snd_intel8x0 snd_ac97_codec snd_pcm snd_page_alloc snd_timer snd soundcore vboxguest(O) i2c_piix4 i2c_core ac97_bus ext4 crc16 jbd2 mbcache usbhid hid sg sr_mod sd_mod crc_t10dif cdrom ata_generic ata_piix ohci_hcd ehci_hcd ahci libahci libata usbcore usb_common e1000 scsi_mod [last unloaded: scsi_wait_scan] [ 230.154897] [ 230.223490] Pid: 0, comm: swapper/0 Tainted: G O 3.2.0-4-amd64 #1 Debian 3.2.78-1 innotek GmbH VirtualBox/VirtualBox [ 230.594007] RIP: 0010:[] [] audit_tg+0xb9/0x15b [xt_AUDIT] [ 230.963683] RSP: 0018:88011fc03be0 EFLAGS: 00010286 [ 231.053744] RAX: RBX: 880119f8aac0 RCX: 88021a2fc7ff [ 231.433840] RDX: 005c RSI: a03e412f RDI: 88011a8beac0 [ 231.603982] RBP: 88011fc03ce0 R08: 880119e15000 R09: fff8 [ 231.724164] R10: 0078 R11: R12: 88011a8beac0 [ 231.725226] R13: 8801181cb658 R14: 880119f8aac0 R15: 8801181cb638 [ 231.744298] FS: () GS:88011fc0() knlGS: [ 231.745494] CS: 0010 DS: ES: CR0: 8005003b [ 231.754042] CR2: 88021a2fc80b CR3: 000119e58000 CR4: 000406f0 [ 231.755131] DR0: DR1: DR2: [ 231.763888] DR3: DR6: 0ff0 DR7: 0400 [ 231.764930] Process swapper/0 (pid: 0, threadinfo 8160, task 8160d020) [ 231.766108] Stack: [ 231.772178] 880117e3e000 009d0001 8801181cb5c8 [ 231.794053] 880119e1a540 88011fc1a88c 88011a2fc810 a035b0f4 [ 231.804858] 0046 880117e3e000 880118f17e80 8160d020 [ 231.805980] Call Trace: [ 231.814086] [ 231.814508] [] ? ipt_do_table+0x4d7/0x556 [ip_tables] [ 231.815478] [] ? xfrm_lookup+0x3a1/0x43a [ 231.816293] [] ? virt_to_cache+0x7/0x23 [ 231.854059] [] ? nf_iterate+0x41/0x77 [ 231.864550] [] ? __skb_dequeue+0x31/0x31 [ 231.865372] [] ? nf_hook_slow+0x68/0x101 [ 231.866184] [] ? __skb_dequeue+0x31/0x31 [ 231.880501] [] ? nf_hook_thresh.constprop.31+0x39/0x3e [ 231.881538] [] ? __ip_local_out+0x1f/0x3d [ 231.882373] [] ? ip_local_out+0x9/0x19 [ 231.883171] [] ? igmp_ifc_timer_expire+0x1b2/0x1df [ 231.884114] [] ? run_timer_softirq+0x19a/0x261 [ 231.885010] [] ? add_grec+0x364/0x364 [ 231.885799] [] ? kvm_clock_read+0x17/0x1a [ 231.894392] [] ? __do_softirq+0xd7/0x1af [ 231.895271] [] ? clockevents_program_event+0xaa/0xce [ 231.896236] [] ? call_softirq+0x1c/0x30 [ 231.897055] [] ? do_softirq+0x3c/0x7b [ 231.897857] [] ? irq_exit+0x3c/0x99 [ 231.904278] [] ? smp_apic_timer_interrupt+0x74/0x82 [ 231.905270] [] ? apic_timer_interrupt+0x6e/0x80 [ 231.906178] [ 231.906543] [] ? mwait_idle+0x7f/0xac [ 232.125169] [] ? mwait_idle+0x72/0xac [ 232.284049] [] ? cpu_idle+0xaf/0xf2 [ 232.284927] [] ? start_kernel+0x3bd/0x3c8 [ 232.285814] [] ? early_idt_handlers+0x140/0x140 [ 232.286728] [] ? x86_64_start_kernel+0x104/0x111 [ 232.287645] Code: 8b 43 20 48 85 c0 74 78 66 83 b8 c4 01 00 00 01 75 6e 8b 8b c8 00 00 00 31 c0 48 c7 c6 2f 41 3e a0 48 03 8b d8 00 00 00 4c 89 e7 <66> 44 8b 41 0c 48 8d 51 06 66 41 c1 c0 08 45 0f b7 c0 e8 cd 5e [ 232.505392] RIP [] audit_tg+0xb9/0x15b [xt_AUDIT] [ 232.506338] RSP [ 232.524441] CR2: 88021a2fc80b [ 232.534296] ---[ end trace 3c9efffc5c9e0cae ]--- [ 232.535051] Kernel panic - not syncing: Fatal exception in interrupt [ 232.535973] Pid: 0, comm: swapper/0 Tainted: G DO 3.2.0-4-amd64 #1 Debian 3.2.78-1 [ 232.537158] Call Trace: [ 232.537543][] ? panic+0x95/0x1a2 [ 232.538388] [] ? _raw_spin_unlock_irqrestore+0xe/0xf [ 232.539358] [] ? oops_end+0xa9/0xb6 [ 232.540123] [] ? no_context+0x1ff/0x20e [ 232.540968] [] ? pud_offset+0x16/0x35 [ 232.564725] [] ? do_page_fault+0x1b6/0x345 [ 2232.604314] [] ? audit_log_vformat+0xcb/0xda [ 232.914225] [] ? vsnprintf+0x3ee/0x427 [ 233.014428] [] ? audit_log_format+0x43/0x48 [ 233.164204] [] ? page_fault+0x25/0x30 [ 233.374338] [] ? audit_tg+0xb9/0x15b
iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
Hello, I see kernel panic with iptables-persistent package installed and one iptables rule with AUDIT target. root@debian7:~# uname -a Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux root@debian7:~# dpkg -l | grep iptables ii iptables1.4.14-3.1 ii iptables-persistent0.5.7+deb7u1 Steps to reproduce: 1) Install Debian 7 and iptables-persistent (see versions above) 2) Add iptables rule (must be OUTPUT chain): root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT 3) Save rule: root@debian7:~# iptables-save > /etc/iptables/rules.v4 4) Reboot 5) Kernel panic (screenshot): https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0 I cannot reproduce it on (one of) previous kernel version: lev@debi7:~$ uname -a Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux lev@debi7:~$ dpkg -l | grep iptables ii iptables 1.4.14-3.1 ii iptables-persistent0.5.7+deb7u1 -Lev -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
Hello, I see kernel panic with iptables-persistent package installed and one iptables rule with AUDIT target. root@debian7:~# uname -a Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux root@debian7:~# dpkg -l | grep iptables ii iptables 1.4.14-3.1 ii iptables-persistent 0.5.7+deb7u1 Steps to reproduce: 1) Install Debian 7 and iptables-persistent (see versions above) 2) Add iptables rule (must be OUTPUT chain): root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT 3) Save rule: root@debian7:~# iptables-save > /etc/iptables/rules.v4 4) Reboot 5) Kernel panic (screenshot): https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0 I cannot reproduce it on (one of) previous kernel version: lev@debi7:~$ uname -a Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux lev@debi7:~$ dpkg -l | grep iptables ii iptables 1.4.14-3.1 ii iptables-persistent0.5.7+deb7u1 -Lev -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html