[pkg-netfilter-team] Bug#960003: iptables-restore --test FILE reports segfault if FILE has more than 2 tables

quidame quidame at poivron.org
Fri May 8 08:21:19 BST 2020 

Package: iptables
Version: 1.8.4-3
Severity: normal

Dear Maintainer,

Wanting to validate changes in a file previously created by
iptables-save, I experienced a segmentation fault with the
iptables-restore command. It appears that the error doesn't come from
the changes in the file, but from the iptables-nft-restore binary.

Steps to reproduce:

1. Create a file with 3 tables (any of filter, nat, mangle, raw and
security):

# cat > ruleset <<EOF
*filter
COMMIT
*nat
COMMIT
*raw
COMMIT
EOF

2. Test the file

# iptables-nft-restore --test ruleset
Segmentation fault


Alternatively, this can be tested by piping iptables-save output into
iptables-restore:

# iptables-save | iptables-restore
(no error reported)

# iptables-save | iptables-restore --test
Segmentation fault


Note that the error does NOT occur when at least one of these conditions
is met:
- iptables-legacy is the current alternative for iptables
- the input file has 1 or 2 tables
- the '--table' option is used

Even if the command itself is still usable, this unexpected segfault
makes the '--test' option totally unreliable, and probably unreliable
for both nft and legacy commands, as they're currently not called as
themselves, but behind the iptables-restore alternative, for which the
--test option may or may not work.


Thank you,
quidame


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.30-4
ii  libip4tc2                1.8.4-3
ii  libip6tc2                1.8.4-3
ii  libmnl0                  1.0.4-3
ii  libnetfilter-conntrack3  1.0.8-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.6-1
ii  libxtables12             1.8.4-3
ii  netbase                  6.1

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
pn  firewalld  <none>
ii  kmod       27+20200310-2

-- no debconf information

More information about the pkg-netfilter-team mailing list