[pkg-netfilter-team] Bug#944669: nft: Memory allocation failure when using synproxy
Bernhard Ehlers
bugs at bernhard-ehlers.de
Wed Nov 13 15:10:52 GMT 2019
Package: nftables
Version: 0.9.2-2
Severity: normal
Dear Maintainer,
nft crashes with "Memory allocation failure", when using synproxy.
A simple test with the example from http://patchwork.ozlabs.org/patch/1120688/
root at buster:/home/user# cat > x
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
ct state { invalid, untracked } synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
root at buster:/home/user# nft -f x
netlink.c:93: Memory allocation failure
root at buster:/home/user#
When I comment the synproxy statement, nft doesn't crash.
I'm using Debian stable (buster), with only nftables from testing.
nftables from buster-backports is crashing the same way.
-- System Information:
Debian Release: 10.1
APT prefers stable
APT policy: (500, 'stable'), (50, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nftables depends on:
ii dpkg 1.19.7
ii libc6 2.28-10
ii libnftables1 0.9.2-2
ii libreadline8 8.0-3
nftables recommends no packages.
Versions of packages nftables suggests:
pn firewalld <none>
-- no debconf information
More information about the pkg-netfilter-team
mailing list