Public bug reported: [ Impact ]
* When one uses newer & older nftables on the same host (for example from new and old containers) the old nftables can start crashing with segfaults. * This is very pronounced when deploying kubernetes and for example deploying istio or calico with containers that have newer nftables (newer than 1.1.1) and subsequently older nftables (on the host or another container) are used. https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc Whenever a new version adds udata support to an expression, then old versions of nft will crash when trying to list such a ruleset generated by a more recent version of nftables. Fix this by falling back to 'type' format. Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support') Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Pablo Neira Ayuso <[email protected]> Also see: - https://github.com/istio/istio/issues/58492 [ Test Plan ] * Deploy istio with latest nftables such as 1.1.6 from devel or any other distro, on an older Ubuntu release such as Noble or Jammy. Any preferred method - for example helm charts see https://github.com/istio/istio/issues/58492. * Alternatively use up to date nftables in a chroot or container from Ubuntu Question or Resolute should also do the trick * Then on the host execute $ nft add table inet test-table $ nft add set inet test-table test-set "{ type ipv4_addr ; }" $ nft delete table inet test-table Segmentation fault (core dumped) And ensure that nft no longer segfaults [ Where problems could occur ] * This is a backport of upstream fix, to ensure older nftables are forward compatible with newer nftables. [ Other Info ] * Istio & calico deployments are affected ** Affects: nftables (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: nftables (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: nftables (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: nftables (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: nftables (Ubuntu Focal) Importance: Undecided Status: New ** Affects: nftables (Ubuntu Jammy) Importance: Undecided Status: Triaged ** Affects: nftables (Ubuntu Noble) Importance: Undecided Status: Triaged ** Affects: nftables (Ubuntu Questing) Importance: Undecided Status: Fix Released ** Affects: nftables (Ubuntu Resolute) Importance: Undecided Status: Fix Released ** Also affects: nftables (Ubuntu Resolute) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: nftables (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: nftables (Ubuntu Resolute) Status: New => Fix Released ** Changed in: nftables (Ubuntu Questing) Status: New => Fix Released ** Changed in: nftables (Ubuntu Noble) Status: New => Triaged ** Changed in: nftables (Ubuntu Jammy) Status: New => Triaged ** Description changed: [ Impact ] + * When one uses newer & older nftables on the same host (for example + from new and old containers) the old nftables can start crashing with + segfaults. - * When one uses newer & older nftables on the same host (for example from new and old containers) the old nftables can start crashing with segfaults. - - * This is very pronounced when deploying kubernetes and for example + * This is very pronounced when deploying kubernetes and for example deploying istio or calico with containers that have newer nftables (newer than 1.1.1) and subsequently older nftables (on the host or another container) are used. https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc Whenever a new version adds udata support to an expression, then old versions of nft will crash when trying to list such a ruleset generated by a more recent version of nftables. Fix this by falling back to 'type' format. Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support') Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Pablo Neira Ayuso <[email protected]> Also see: - https://github.com/istio/istio/issues/58492 [ Test Plan ] - * Deploy istio with latest nftables such as 1.1.6 from devel or any - other distro, on an older Ubuntu release such as Noble or Jammy + * Deploy istio with latest nftables such as 1.1.6 from devel or any + other distro, on an older Ubuntu release such as Noble or Jammy. Any + preferred method - for example helm charts see + https://github.com/istio/istio/issues/58492. - * Then on the host execute + * Alternatively use up to date nftables in a chroot or container from + Ubuntu Question or Resolute should also do the trick + + * Then on the host execute $ nft add table inet test-table $ nft add set inet test-table test-set "{ type ipv4_addr ; }" $ nft delete table inet test-table Segmentation fault (core dumped) And ensure that nft no longer segfaults [ Where problems could occur ] - * This is a backport of upstream fix, to ensure older nftables are + * This is a backport of upstream fix, to ensure older nftables are forward compatible with newer nftables. [ Other Info ] - * Istio & calico deployments are affected + * Istio & calico deployments are affected -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142552 Title: netlink: fix crash when ops doesn't support udata To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/2142552/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
