[pkg-netfilter-team] Bug#929527: Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
Arturo Borrero Gonzalez
arturo at debian.org
Tue May 28 10:26:15 BST 2019
On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote:
> On 5/25/19 6:49 PM, Thomas Lamprecht wrote:
>> Package: iptables
>> Version: 1.8.2-4
>> Severity: grave
>> File: /usr/sbin/xtables-nft-multi
>> Justification: renders package unusable by segfaulting on usage
>>
>> Reproducer:
>> # cat simple-segv-table
>> *filter
>> :NEW-OUTPUT - [0:0]
>> -A OUTPUT -j NEW-OUTPUT
>> -F NEW-OUTPUT
>> -A NEW-OUTPUT -j ACCEPT
>> COMMIT
>>
>> # iptables ./simple-segv-table
>> Segmentation fault
>>
>> # dmesg | tail -1
>> [12860.813350] traps: iptables-restor[19173] general protection ip:7f4894682793 sp:7ffcedc177d0 error:0 in libnftnl.so.11.0.0[7f4894677000+17000]
>>
>> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf "%x" $[0x7f2cb9882793 - 0x7f2cb9877000])
>> nftnl_batch_is_supported
>> ??:?
>>
>
> I can reproduce this.
>
> I'm already looking for a fix.
>
This should be fixed in iptables 1.8.3, which just got released.
More information about the pkg-netfilter-team
mailing list