[pkg-netfilter-team] Bug#1053564: nftables: nft freeze after some times, probably as a result of excessive use of named set

Daniel Haryo Sugondo sugondo at hlrs.de
Fri Oct 6 13:43:04 BST 2023 

Package: nftables
Version: 1.0.6-2+deb12u1
Severity: normal

Dear Maintainer,

I'm trying to support our nftables to use FQDN (CDN). I wrote a shell script
to translate FQDN into ip(v4/v6) address and feed the results in nftables
"named set". The elements have a max. timeout from about 5 Min. I don't want
outdated entries on my sets. The script inserts and deletes the elements
periodically.

My script works flawlessly on Debian 11 and for the first hours on Debian 12
too, but ends on Debian 12 with [D]-state on "ps" output, after some hours,
and on dmesg you can see Call Traces from netlink modul.

I don't have any idea, why the behaviour on Debian 12 is different to the
previous version. Maybe you can take a look for this.

Further informations:
My named set on nftables for this purpose looks like:

table inet firewall {
        set fq4-acc-o {
                type ipv4_addr . inet_proto . inet_service
                flags interval,timeout
                timeout 5m15s
        }

        set fq6-acc-o {
                type ipv6_addr . inet_proto . inet_service
                flags interval,timeout
                timeout 5m15s
        }
...

Some examples, if nft crashs:

Oct 02 00:38:51 nftfqdn.sh[224817]: /dev/shm/fqdn.nft:42:39-86: Error: Could not process rule: File exists
Oct 02 00:38:51 nftfqdn.sh[224817]: add element inet firewall fq6-acc-o { 2600:9000:2490:e000:3:db06:4200:93a1 . tcp . 443 }
Oct 02 00:38:51 nftfqdn.sh[224817]:                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Oct 03 04:13:04 nftfqdn.sh[203649]: /dev/shm/fqdn.nft:12:39-63: Error: Could not process rule: File exists
Oct 03 04:13:04 nftfqdn.sh[203649]: add element inet firewall fq4-acc-o { 143.204.98.14 . tcp . 443 timeout 27s }
Oct 03 04:13:04 nftfqdn.sh[203649]:                                       ^^^^^^^^^^^^^^^^^^^^^^^^^

dmesg output

Oct 03 04:13:22 kernel: BUG: kernel NULL pointer dereference, address: 0000000000000034
Oct 03 04:13:22 kernel: #PF: supervisor read access in kernel mode
Oct 03 04:13:22 kernel: #PF: error_code(0x0000) - not-present page
Oct 03 04:13:22 kernel: PGD 0 P4D 0
Oct 03 04:13:22 kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Oct 03 04:13:22 kernel: CPU: 2 PID: 203751 Comm: nft Not tainted 6.1.0-12-amd64 #1  Debian 6.1.52-1
Oct 03 04:13:22 kernel: Hardware name: FUJITSU PRIMERGY RX1330 M2/D3375-A1, BIOS V5.0.0.11 R1.31.0 for D3375-A1x                    02/22/2023
Oct 03 04:13:22 kernel: RIP: 0010:nft_setelem_data_deactivate.constprop.0.isra.0+0x40/0x80 [nf_tables]
Oct 03 04:13:22 kernel: Code: 36 0f b6 46 03 84 c0 74 15 8b 57 44 81 fa ff fe ff ff 76 0a 81 fa 00 ff ff ff 74 20 0f 0b 0f b6 46 09 84 c0 74 11 48 8b 14 06 <8b> 42 34 8d 48 ff 89 4a 34 85 c0 74 27 c3 cc cc cc cc 48 01 f0 8b
Oct 03 04:13:22 kernel: RSP: 0018:ffffc07fc315f6b8 EFLAGS: 00010202
Oct 03 04:13:22 kernel: RAX: 0000000000000038 RBX: ffffc07fc315f898 RCX: 000000000854c002
Oct 03 04:13:22 kernel: RDX: 0000000000000000 RSI: ffff9c63c3bf9340 RDI: ffff9c63c198f000
Oct 03 04:13:22 kernel: RBP: ffffc07fc315f750 R08: ffff9c63d36c0e00 R09: 0000000000000001
Oct 03 04:13:22 kernel: R10: 0000000000000020 R11: 0000000000000004 R12: ffff9c63c198f000
Oct 03 04:13:22 kernel: R13: ffff9c63c3bf9340 R14: ffff9c63d36c0200 R15: ffff9c63c198f000
Oct 03 04:13:22 kernel: FS:  00007f0fe7262740(0000) GS:ffff9c6b0fc80000(0000) knlGS:0000000000000000
Oct 03 04:13:22 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 03 04:13:22 kernel: CR2: 0000000000000034 CR3: 0000000151c3e003 CR4: 00000000003706e0
Oct 03 04:13:22 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Oct 03 04:13:22 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Oct 03 04:13:22 kernel: Call Trace:
Oct 03 04:13:22 kernel:  <TASK>
Oct 03 04:13:22 kernel:  ? __die_body.cold+0x1a/0x1f
Oct 03 04:13:22 kernel:  ? page_fault_oops+0xd2/0x2b0
Oct 03 04:13:22 kernel:  ? exc_page_fault+0x70/0x170
Oct 03 04:13:22 kernel:  ? asm_exc_page_fault+0x22/0x30
Oct 03 04:13:22 kernel:  ? nft_setelem_data_deactivate.constprop.0.isra.0+0x40/0x80 [nf_tables]
Oct 03 04:13:22 kernel:  nft_del_setelem+0x49b/0x510 [nf_tables]
Oct 03 04:13:22 kernel:  nf_tables_delsetelem+0x1f0/0x2e0 [nf_tables]
Oct 03 04:13:22 kernel:  ? __kmem_cache_alloc_node+0x139/0x2a0
Oct 03 04:13:22 kernel:  ? nfnetlink_rcv_batch+0x20a/0x9a0 [nfnetlink]
Oct 03 04:13:22 kernel:  nfnetlink_rcv_batch+0x5df/0x9a0 [nfnetlink]
Oct 03 04:13:22 kernel:  nfnetlink_rcv+0x175/0x193 [nfnetlink]
Oct 03 04:13:22 kernel:  netlink_unicast+0x23f/0x390
Oct 03 04:13:22 kernel:  netlink_sendmsg+0x250/0x4c0
Oct 03 04:13:22 kernel:  sock_sendmsg+0x5c/0x70
Oct 03 04:13:22 kernel:  ____sys_sendmsg+0x277/0x2f0
Oct 03 04:13:22 kernel:  ? copy_msghdr_from_user+0x7d/0xc0
Oct 03 04:13:22 kernel:  ___sys_sendmsg+0x9a/0xe0
Oct 03 04:13:22 kernel:  __sys_sendmsg+0x76/0xc0
Oct 03 04:13:22 kernel:  do_syscall_64+0x58/0xc0
Oct 03 04:13:22 kernel:  ? fpregs_assert_state_consistent+0x22/0x50
Oct 03 04:13:22 kernel:  ? exit_to_user_mode_prepare+0x40/0x1d0
Oct 03 04:13:22 kernel:  ? syscall_exit_to_user_mode+0x27/0x40
Oct 03 04:13:22 kernel:  ? do_syscall_64+0x67/0xc0
Oct 03 04:13:22 kernel:  ? fpregs_assert_state_consistent+0x22/0x50
Oct 03 04:13:22 kernel:  ? exit_to_user_mode_prepare+0x40/0x1d0
Oct 03 04:13:22 kernel:  entry_SYSCALL_64_after_hwframe+0x64/0xce
Oct 03 04:13:22 kernel: RIP: 0033:0x7f0fe74a9910
Oct 03 04:13:22 kernel: Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 66 2e 0f 1f 84 00 00 00 00 00 90 80 3d d1 fc 0c 00 00 74 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 89 54
Oct 03 04:13:22 kernel: RSP: 002b:00007fffb709da18 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
Oct 03 04:13:22 kernel: RAX: ffffffffffffffda RBX: 00007fffb70aec10 RCX: 00007f0fe74a9910
Oct 03 04:13:22 kernel: RDX: 0000000000000000 RSI: 00007fffb70aeac0 RDI: 0000000000000003
Oct 03 04:13:22 kernel: RBP: 00007fffb70aebc0 R08: 00007fffb709d9f4 R09: 000055e795856520
Oct 03 04:13:22 kernel: R10: 00007f0fe7690f00 R11: 0000000000000202 R12: 000055e79582cb50
Oct 03 04:13:22 kernel: R13: 0000000000010000 R14: 00007fffb709da30 R15: 0000000000000001
Oct 03 04:13:22 kernel:  </TASK>
Oct 03 04:13:22 kernel: Modules linked in: bridge 8021q garp stp mrp llc nfnetlink_log nft_log nft_limit nft_ct nf_tables nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink binfmt_misc intel_rapl_msr intel_rapl_common ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass ghash_clmulni_intel sha512_ssse3 sha512_generic aesni_intel cr>
Oct 03 04:13:22 kernel:  crct10dif_generic hid ahci libahci cxgb4 crct10dif_pclmul crct10dif_common xhci_pci libata xhci_hcd crc32_pclmul scsi_transport_fc crc32c_intel i2c_i801 i2c_smbus tls usbcore scsi_mod igb i2c_algo_bit scsi_common dca usb_common video wmi
Oct 03 04:13:22 kernel: CR2: 0000000000000034
Oct 03 04:13:22 kernel: ---[ end trace 0000000000000000 ]---
Oct 03 04:13:22 kernel: RIP: 0010:nft_setelem_data_deactivate.constprop.0.isra.0+0x40/0x80 [nf_tables]
Oct 03 04:13:22 kernel: Code: 36 0f b6 46 03 84 c0 74 15 8b 57 44 81 fa ff fe ff ff 76 0a 81 fa 00 ff ff ff 74 20 0f 0b 0f b6 46 09 84 c0 74 11 48 8b 14 06 <8b> 42 34 8d 48 ff 89 4a 34 85 c0 74 27 c3 cc cc cc cc 48 01 f0 8b
Oct 03 04:13:22 kernel: RSP: 0018:ffffc07fc315f6b8 EFLAGS: 00010202
Oct 03 04:13:22 kernel: RAX: 0000000000000038 RBX: ffffc07fc315f898 RCX: 000000000854c002
Oct 03 04:13:22 kernel: RDX: 0000000000000000 RSI: ffff9c63c3bf9340 RDI: ffff9c63c198f000
Oct 03 04:13:22 kernel: RBP: ffffc07fc315f750 R08: ffff9c63d36c0e00 R09: 0000000000000001
Oct 03 04:13:22 kernel: R10: 0000000000000020 R11: 0000000000000004 R12: ffff9c63c198f000
Oct 03 04:13:22 kernel: R13: ffff9c63c3bf9340 R14: ffff9c63d36c0200 R15: ffff9c63c198f000
Oct 03 04:13:22 kernel: FS:  00007f0fe7262740(0000) GS:ffff9c6b0fc80000(0000) knlGS:0000000000000000
Oct 03 04:13:22 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 03 04:13:22 kernel: CR2: 0000000000000034 CR3: 0000000151c3e003 CR4: 00000000003706e0
Oct 03 04:13:22 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Oct 03 04:13:22 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Oct 03 04:13:22 kernel: note: nft[203751] exited with irqs disabled

Best regards,

Daniel Sugondo.

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-12-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  libc6         2.36-9+deb12u3
ii  libedit2      3.1-20221030-2
ii  libnftables1  1.0.6-2+deb12u1

Versions of packages nftables recommends:
ii  netbase  6.4

Versions of packages nftables suggests:
pn  firewalld  <none>

-- Configuration Files:
/etc/nftables.conf changed [not included]

-- no debconf information

More information about the pkg-netfilter-team mailing list