[pkg-netfilter-team] Bug#888442: [nftables] Crash when list(ing) ip6tables-compat CT rules
Charlemagne Lasse
charlemagnelasse at gmail.com
Thu Jan 25 16:33:03 UTC 2018
Package: nftables
Version: 0.7-1
Severity: important
The nft list crashes when an ip6tables-compat CT rule is found also in
iptables-compat. This is either an assert with 0.7-1 or a segfault
with 0.8-2~bpo9+1.
# nft flush ruleset
# nft list ruleset
# iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
# ip6tables-compat -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# nft list ruleset
BUG: XT match conntrack not found
nft: xt.c:208: netlink_parse_match: Assertion `0' failed.
Aborted
--- System information. ---
Architecture:
Kernel: Linux 4.9.65-3+deb9u2
Debian Release: 9.3
500 stable security.debian.org
500 stable httpredir.debian.org
100 stretch-backports httpredir.debian.org
1 stable www.deb-multimedia.org
--- Package information. ---
Depends (Version) | Installed
===================================================-+-============================
init-system-helpers (>= 1.18~) | 1.48
libc6 (>= 2.15) |
libgmp10 |
libmnl0 (>= 1.0.3-4~) |
libnftnl4 (>= 1.0.5+snapshot20160416) |
libreadline7 (>= 6.0) |
libxtables12 |
Package's Recommends field is empty.
Package's Suggests field is empty.
More information about the pkg-netfilter-team
mailing list