Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

2016-04-26 Thread Paul Moore 
On Tue, Apr 26, 2016 at 3:58 PM, Lev Stipakov  wrote:
> Yep, it works fine on Debian 8:
>
> lev@debi:~$ uname -a
> Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)
> x86_64 GNU/Linux

I would suggest bringing this up with the Debian kernel
packagers/maintainers, or doing a git-bisect of the Debian kernel if
you are comfortable with that sort of thing.

> On 26.04.2016 21:54, Paul Moore wrote:
>>>
>>>
>>> I cannot reproduce it on (one of) previous kernel version:
>>>
>>>lev@debi7:~$ uname -a
>>>Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64
>>> GNU/Linux
>>>
>>>lev@debi7:~$ dpkg -l | grep iptables
>>>ii  iptables   1.4.14-3.1
>>>ii  iptables-persistent0.5.7+deb7u1
>>
>> Unfortunately I don't have a Debian system available to test, but have
>> you tried reproducing this on a more modern kernel?

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

2016-04-26 Thread Lev Stipakov 

Yep, it works fine on Debian 8:

lev@debi:~$ uname -a
Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 
(2016-01-17) x86_64 GNU/Linux



On 26.04.2016 21:54, Paul Moore wrote:


I cannot reproduce it on (one of) previous kernel version:

   lev@debi7:~$ uname -a
   Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux

   lev@debi7:~$ dpkg -l | grep iptables
   ii  iptables   1.4.14-3.1
   ii  iptables-persistent0.5.7+deb7u1


Unfortunately I don't have a Debian system available to test, but have
you tried reproducing this on a more modern kernel?



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

2016-04-26 Thread Lev Stipakov 

Kernel crash dump:

[  217.819774] piix4_smbus :00:07.0: SMBus base address 
uninitialized - upgrade BIOS or use force_addr=0xaddr

[  218.173782] Error: Driver 'pcspkr' is already registered, aborting...
[  229.433697] BUG: unable to handle kernel paging request at 
88021a2fc80b

[  229.524189] IP: [] audit_tg+0xb9/0x15b [xt_AUDIT]
[  229.713702] PGD 1606063 PUD 0
[  229.714117] Oops:  [#1] SMP
[  229.714479] CPU 0
[  229.714652] Modules linked in: xt_AUDIT parport_pc ppdev lp parport 
bnep bluetooth rfkill ip6table_filter ip6_tables iptable_filter 
ip_tables x_tables uinput nfsd nfs nfs_acl auth_rpcgss fscache lockd 
sunrpc loop crc32c_intel aesni_intel battery ac power_supply pcspkr 
processor video aes_x86_64 thermal_sys psmouse joydev evdev serio_raw 
button aes_generic cryptd snd_intel8x0 snd_ac97_codec snd_pcm 
snd_page_alloc snd_timer snd soundcore vboxguest(O) i2c_piix4 i2c_core 
ac97_bus ext4 crc16 jbd2 mbcache usbhid hid sg sr_mod sd_mod crc_t10dif 
cdrom ata_generic ata_piix ohci_hcd ehci_hcd ahci libahci libata usbcore 
usb_common e1000 scsi_mod [last unloaded: scsi_wait_scan]

[  230.154897]
[  230.223490] Pid: 0, comm: swapper/0 Tainted: G   O 
3.2.0-4-amd64 #1 Debian 3.2.78-1 innotek GmbH VirtualBox/VirtualBox
[  230.594007] RIP: 0010:[]  [] 
audit_tg+0xb9/0x15b [xt_AUDIT]

[  230.963683] RSP: 0018:88011fc03be0  EFLAGS: 00010286
[  231.053744] RAX:  RBX: 880119f8aac0 RCX: 
88021a2fc7ff
[  231.433840] RDX: 005c RSI: a03e412f RDI: 
88011a8beac0
[  231.603982] RBP: 88011fc03ce0 R08: 880119e15000 R09: 
fff8
[  231.724164] R10: 0078 R11:  R12: 
88011a8beac0
[  231.725226] R13: 8801181cb658 R14: 880119f8aac0 R15: 
8801181cb638
[  231.744298] FS:  () GS:88011fc0() 
knlGS:

[  231.745494] CS:  0010 DS:  ES:  CR0: 8005003b
[  231.754042] CR2: 88021a2fc80b CR3: 000119e58000 CR4: 
000406f0
[  231.755131] DR0:  DR1:  DR2: 

[  231.763888] DR3:  DR6: 0ff0 DR7: 
0400
[  231.764930] Process swapper/0 (pid: 0, threadinfo 8160, 
task 8160d020)

[  231.766108] Stack:
[  231.772178]  880117e3e000  009d0001 
8801181cb5c8
[  231.794053]  880119e1a540 88011fc1a88c 88011a2fc810 
a035b0f4
[  231.804858]  0046 880117e3e000 880118f17e80 
8160d020

[  231.805980] Call Trace:
[  231.814086]  
[  231.814508]  [] ? ipt_do_table+0x4d7/0x556 [ip_tables]
[  231.815478]  [] ? xfrm_lookup+0x3a1/0x43a
[  231.816293]  [] ? virt_to_cache+0x7/0x23
[  231.854059]  [] ? nf_iterate+0x41/0x77
[  231.864550]  [] ? __skb_dequeue+0x31/0x31
[  231.865372]  [] ? nf_hook_slow+0x68/0x101
[  231.866184]  [] ? __skb_dequeue+0x31/0x31
[  231.880501]  [] ? nf_hook_thresh.constprop.31+0x39/0x3e
[  231.881538]  [] ? __ip_local_out+0x1f/0x3d
[  231.882373]  [] ? ip_local_out+0x9/0x19
[  231.883171]  [] ? igmp_ifc_timer_expire+0x1b2/0x1df
[  231.884114]  [] ? run_timer_softirq+0x19a/0x261
[  231.885010]  [] ? add_grec+0x364/0x364
[  231.885799]  [] ? kvm_clock_read+0x17/0x1a
[  231.894392]  [] ? __do_softirq+0xd7/0x1af
[  231.895271]  [] ? clockevents_program_event+0xaa/0xce
[  231.896236]  [] ? call_softirq+0x1c/0x30
[  231.897055]  [] ? do_softirq+0x3c/0x7b
[  231.897857]  [] ? irq_exit+0x3c/0x99
[  231.904278]  [] ? smp_apic_timer_interrupt+0x74/0x82
[  231.905270]  [] ? apic_timer_interrupt+0x6e/0x80
[  231.906178]  
[  231.906543]  [] ? mwait_idle+0x7f/0xac
[  232.125169]  [] ? mwait_idle+0x72/0xac
[  232.284049]  [] ? cpu_idle+0xaf/0xf2
[  232.284927]  [] ? start_kernel+0x3bd/0x3c8
[  232.285814]  [] ? early_idt_handlers+0x140/0x140
[  232.286728]  [] ? x86_64_start_kernel+0x104/0x111
[  232.287645] Code: 8b 43 20 48 85 c0 74 78 66 83 b8 c4 01 00 00 01 75 
6e 8b 8b c8 00 00 00 31 c0 48 c7 c6 2f 41 3e a0 48 03 8b d8 00 00 00 4c 
89 e7 <66> 44 8b 41 0c 48 8d 51 06 66 41 c1 c0 08 45 0f b7 c0 e8 cd 5e

[  232.505392] RIP  [] audit_tg+0xb9/0x15b [xt_AUDIT]
[  232.506338]  RSP 
[  232.524441] CR2: 88021a2fc80b
[  232.534296] ---[ end trace 3c9efffc5c9e0cae ]---
[  232.535051] Kernel panic - not syncing: Fatal exception in interrupt
[  232.535973] Pid: 0, comm: swapper/0 Tainted: G  DO 
3.2.0-4-amd64 #1 Debian 3.2.78-1

[  232.537158] Call Trace:
[  232.537543][] ? panic+0x95/0x1a2
[  232.538388]  [] ? _raw_spin_unlock_irqrestore+0xe/0xf
[  232.539358]  [] ? oops_end+0xa9/0xb6
[  232.540123]  [] ? no_context+0x1ff/0x20e
[  232.540968]  [] ? pud_offset+0x16/0x35
[  232.564725]  [] ? do_page_fault+0x1b6/0x345
[ 2232.604314]  [] ? audit_log_vformat+0xcb/0xda
[  232.914225]  [] ? vsnprintf+0x3ee/0x427
[  233.014428]  [] ? audit_log_format+0x43/0x48
[  233.164204]  [] ? page_fault+0x25/0x30
[  233.374338]  [] ? audit_tg+0xb9/0x15b

iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

2016-04-26 Thread Lev Stipakov 
Hello,

I see kernel panic with iptables-persistent package installed and one
iptables rule with AUDIT target.

  root@debian7:~# uname -a
  Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux

  root@debian7:~# dpkg -l | grep iptables
  ii  iptables1.4.14-3.1
  ii  iptables-persistent0.5.7+deb7u1

Steps to reproduce:

1) Install Debian 7 and iptables-persistent (see versions above)
2) Add iptables rule (must be OUTPUT chain):

  root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT

3) Save rule:

  root@debian7:~# iptables-save > /etc/iptables/rules.v4

4) Reboot

5) Kernel panic (screenshot):
https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0

I cannot reproduce it on (one of) previous kernel version:

  lev@debi7:~$ uname -a
  Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux

  lev@debi7:~$ dpkg -l | grep iptables
  ii  iptables   1.4.14-3.1
  ii  iptables-persistent0.5.7+deb7u1

-Lev
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

2016-04-26 Thread Lev Stipakov 

Hello,

I see kernel panic with iptables-persistent package installed and one 
iptables rule with AUDIT target.


  root@debian7:~# uname -a
  Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux

  root@debian7:~# dpkg -l | grep iptables
  ii  iptables  1.4.14-3.1
  ii  iptables-persistent   0.5.7+deb7u1

Steps to reproduce:

1) Install Debian 7 and iptables-persistent (see versions above)
2) Add iptables rule (must be OUTPUT chain):

  root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT

3) Save rule:

  root@debian7:~# iptables-save > /etc/iptables/rules.v4

4) Reboot

5) Kernel panic (screenshot): 
https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0



I cannot reproduce it on (one of) previous kernel version:

  lev@debi7:~$ uname -a
  Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux

  lev@debi7:~$ dpkg -l | grep iptables
  ii  iptables   1.4.14-3.1
  ii  iptables-persistent0.5.7+deb7u1


-Lev


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html