** Description changed: [ Impact ] * When one uses newer & older nftables on the same host (for example from new and old containers) the old nftables can start crashing with segfaults. * This is very pronounced when deploying kubernetes and for example deploying istio or calico with containers that have newer nftables (newer than 1.1.1) and subsequently older nftables (on the host or another container) are used. https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc Whenever a new version adds udata support to an expression, then old versions of nft will crash when trying to list such a ruleset generated by a more recent version of nftables. Fix this by falling back to 'type' format. Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support') Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Pablo Neira Ayuso <[email protected]> Also see: - https://github.com/istio/istio/issues/58492 [ Test Plan ] * Deploy istio with latest nftables such as 1.1.6 from devel or any other distro, on an older Ubuntu release such as Noble or Jammy. Any preferred method - for example helm charts see https://github.com/istio/istio/issues/58492. - * Alternatively use up to date nftables in a chroot or container from + * Alternatively use up to date nftables in a chroot or container from Ubuntu Question or Resolute should also do the trick * Then on the host execute $ nft add table inet test-table $ nft add set inet test-table test-set "{ type ipv4_addr ; }" $ nft delete table inet test-table Segmentation fault (core dumped) And ensure that nft no longer segfaults [ Where problems could occur ] * This is a backport of upstream fix, to ensure older nftables are forward compatible with newer nftables. [ Other Info ] * Istio & calico deployments are affected + * Fedora update https://bugzilla.redhat.com/show_bug.cgi?id=2443276 + * Debian update https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129273
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142552 Title: netlink: fix crash when ops doesn't support udata To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/2142552/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
