[pkg-netfilter-team] Bug#929527: Bug#929527: /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed May 29 07:36:30 BST 2019
On 5/28/19 11:26 AM, Arturo Borrero Gonzalez wrote:
> On 5/27/19 12:29 PM, Arturo Borrero Gonzalez wrote:
>> On 5/25/19 6:49 PM, Thomas Lamprecht wrote:
>>> Package: iptables
>>> Version: 1.8.2-4
>>> Severity: grave
>>> File: /usr/sbin/xtables-nft-multi
>>> Justification: renders package unusable by segfaulting on usage
>>>
>>> Reproducer:
>>> # cat simple-segv-table
>>> *filter
>>> :NEW-OUTPUT - [0:0]
>>> -A OUTPUT -j NEW-OUTPUT
>>> -F NEW-OUTPUT
>>> -A NEW-OUTPUT -j ACCEPT
>>> COMMIT
>>>
>>> # iptables ./simple-segv-table
>>> Segmentation fault
>>>
>>> # dmesg | tail -1
>>> [12860.813350] traps: iptables-restor[19173] general protection ip:7f4894682793 sp:7ffcedc177d0 error:0 in libnftnl.so.11.0.0[7f4894677000+17000]
>>>
>>> # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf "%x" $[0x7f2cb9882793 - 0x7f2cb9877000])
>>> nftnl_batch_is_supported
>>> ??:?
>>>
>>
>> I can reproduce this.
>>
>> I'm already looking for a fix.
>>
>
> This should be fixed in iptables 1.8.3, which just got released.
>
Yes, I can confirm, it works again with iptables 1.8.3-1~exp1 and
libnftnl 1.1.3-1~exp1.
Much thanks for the quick response!
More information about the pkg-netfilter-team
mailing list