[pkg-netfilter-team] Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault
Eike Lohmann
e.lohmann at ic3s.de
Fri Nov 23 10:32:06 GMT 2018
Package: nftables
Version: 0.9.0-1~bpo9+1
Severity: |important|
Dear Maintainer,
with adding and deleting rules, chains, maps and sets in nft, we can reproduce a
"device or resource busy" followed by flush ruleset with a "segmentation fault".
For the device or resource busy error, we can't find any process in the processlist.
# nft delete chain filter C_TestChain
Error: Could not process rule: Device or resource busy
delete chain filter C_TestChain
# nft flush ruleset
Segmentation fault
How to reproduce:
/etc/nftables.conf:
#!/usr/sbin/nft -f
# Skeleton for nftables
flush ruleset
table ip filter {
chain FORWARD {
type filter hook forward priority 0;
}
}
Add via file:
add chain filter vpn_master
add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; }
add rule filter vpn_master ip saddr vmap @J_TestMap
add chain filter C_TestChain
add set filter M_TestMasterSet {type ipv4_addr ; flags interval ; elements={
172.21.138.0/29 } ;}
add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ; elements={
172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;}
add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain }
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet
accept
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet
accept
add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet
accept
then flush and delete some rules with following commands:
# nft flush set filter M_TestMasterSet
# nft flush set filter S_TestSlaveSet
# nft flush map filter J_TestMap
# nft flush chain filter C_TestChain
# nft delete set filter M_TestMasterSet
# nft delete set filter S_TestSlaveSet
now we delete the vmap via handle (could not find out, how to delete this via
name):
# nft list table filter -na
table ip filter { # handle 2
map J_TestMap { # handle 3
type ipv4_addr : verdict
flags interval
}
chain FORWARD { # handle 1
type filter hook forward priority 0; policy accept;
}
chain vpn_master { # handle 2
ip saddr vmap @J_TestMap # handle 4
}
chain C_TestChain { # handle 5
}
}
# nft delete rule filter vpn_master handle 4
# nft delete map filter J_TestMap
# nft delete chain filter C_TestChain
Error: Could not process rule: Device or resource busy
delete chain filter C_TestChain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
what is left and can we delete it via an complete flush?
# nft list table filter -na
table ip filter { # handle 2
chain FORWARD { # handle 1
type filter hook forward priority 0; policy accept;
}
chain vpn_master { # handle 2
}
chain C_TestChain { # handle 5
}
}
# nft flush ruleset
Segmentation fault
Please contact me, if you need further details.
Regards, Eike
-- System Information:
Debian Release: 9.6
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (50, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nftables depends on:
ii dpkg 1.18.25
ii libc6 2.24-11+deb9u3
ii libgmp10 2:6.1.2+dfsg-1
ii libnftables0 0.9.0-1~bpo9+1
ii libreadline7 7.0-3
ii libnftnl7:amd64 1.1.1-1~bpo9+1
nftables recommends no packages.
nftables suggests no packages.
-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table ip filter {
chain FORWARD {
type filter hook forward priority 0;
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20181123/e7d2ea8f/attachment.html>
More information about the pkg-netfilter-team
mailing list