[pkg-netfilter-team] nftables: kernel BUG at lib/list_debug.c:53

Tim Düsterhus public+debian.org at bastelstu.be
Thu Jul 18 11:31:26 BST 2019



Am 17.07.19 um 19:32 schrieb Vincent Tondellier:
>> It looks like (one of) the two `flow table` lines are at fault,
>> but I am not able to confirm this for sure, because the assertion
>> is not 100% reliably triggered.
> 
> I can reproduce your crash quite reliably, maybe because I have kernel
> hardening enabled (page_poison=1 slab_nomerge).
> 
> Can you try removing the anonymous sets from your configuration ?
> Replacing "tcp dport { 22 }" with "tcp dport 22" in your example seems
> to resolve the crash.
> Unfortunatly, doing the same in my config is almost a full rewrite ...

The configuration in my bug report was already heavily shortened to the
point where I still could reliably reproduce the issue. Nonetheless it
was simple enough to make the change to remove all the anonymous
one-element sets from the configuration.

I can *confirm* that replacing the anonymous one-element sets by their
single element fixes the issue.

Replacing the multi-element sets was not necessary for me. I'll still
wait for an / the kernel update, because I still don't really trust it
to reliably work 100% of the time.

Best regards
Tim Düsterhus



More information about the pkg-netfilter-team mailing list