[pkg-netfilter-team] Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so

Thomas Lamprecht t.lamprecht at proxmox.com
Sat May 25 17:49:55 BST 2019 

Package: iptables
Version: 1.8.2-4
Severity: grave
File: /usr/sbin/xtables-nft-multi
Justification: renders package unusable by segfaulting on usage

Dear Maintainer,

First, it may be that this should be actually filed against nftables,
so I'd like to say sorry in advance if made noise to the wrong people.

Anyway, on a Debian Stretch system installed from latest weekly ISO
restoring a relative simple IP Table with a single "intermediate" chain
causes a segfaul and no restoration of said table.

Reproducer:
# cat simple-segv-table
*filter
:NEW-OUTPUT - [0:0]
-A OUTPUT -j NEW-OUTPUT
-F NEW-OUTPUT
-A NEW-OUTPUT -j ACCEPT
COMMIT

# iptables ./simple-segv-table
Segmentation fault

# dmesg | tail -1
[12860.813350] traps: iptables-restor[19173] general protection ip:7f4894682793 sp:7ffcedc177d0 error:0 in libnftnl.so.11.0.0[7f4894677000+17000]

# addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0  -fCi $(printf "%x" $[0x7f2cb9882793 - 0x7f2cb9877000])
nftnl_batch_is_supported
??:?

(hope that my addr2line foo isn't to much off)

Above example works just fine on a Debian Stretch 9.9 based machine.
As intially I produced this on a, let's say, far from minimal and a bit
Frankenstein'ed Buster, I installed the netinst weekly ISO again in a
QEMU/KVM backed VM, same outcome.

As said, this may well be an issue in the linked libnftnl shared
library, but could also be an issue from how iptables uses it, as I
produced the error by calling into a iptables provided binary I choose
to report it here (not sure if one can report against multiple
packages).

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc0                1.8.2-4
ii  libip6tc0                1.8.2-4
ii  libiptc0                 1.8.2-4
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.2-2
ii  libxtables12             1.8.2-4

Versions of packages iptables recommends:
ii  nftables  0.9.0-2

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information

More information about the pkg-netfilter-team mailing list