[pkg-netfilter-team] Bug#997950: iptables: "nft list ruleset" fails with SIGFPE when reporting certain hashlimit rates

Tilman Kranz tilman.kranz at b1-systems.de
Wed Oct 27 15:04:56 BST 2021 

Package: iptables
Version: 1.8.7-1
Severity: normal
Tags: patch

Dear Maintainers,

   * What led up to the situation?

As a packet filter for a webserver, nftables is used via xtables
compatibility wrappers iptables by legacy scripts. They utilize
"ip(6)tables" to populate rulesets, also defining sets and hashlimits. 

Since i am in the process of porting these scripts to the native
nftables scripting environment, i was analyzing the chains as
presented by "iptables (nf_tables variant)" and "nft".

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?

Listing the INPUT chain with "iptables -L" succeeds:

...
root at host:~ # iptables -V
iptables v1.8.7 (nf_tables)
root at host:~ # iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target   prot  opt in  out  source  destination         
    0     0 DROP     all       *   *    ::/0    ::/0         rt type:0
88384 7886K ACCEPT   all       lo  *    ::/0    ::/0                
14257  856K DROP     all       *   *    ::/0    ::/0         state INVALID
 4952  339K SET      all       *   *    ::/0    ::/0         state NEW ! match-set ipv6_scanned_ports src,dst limit: above 1/hour burst 5 mode srcip htable-expire 10000 add-set ipv6_port_scanners src exist
...

Listing the chain INPUT with "nft list ruleset" fails with SIGFPE.

...
root at host:~ # nft --version
nftables v0.9.8 (E.D.S.)
root at host:~# nft list chain ip6 filter INPUT
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		rt type 0 counter packets 0 bytes 0 drop
		iifname "lo" counter packets 88376 bytes 7885680 accept
		ct state invalid counter packets 14257 bytes 856062 drop
		ct state new # ! match-set ipv6_scanned_ports src,dst Floating point exception (core dumped)
...


Recompiling the "iptables" package with debug symbols reveals:

  Program received signal SIGFPE, Arithmetic exception.
  0x00007ffff7b47ce9 in print_packets_rate_xlate () from /usr/lib/x86_64-linux-gnu/xtables/libxt_hashlimit.so

I suspect divisions and modulo in extensions/libxt_hashlimit.c,
print_packets_rate_xlate(), lines 1224f:

   xt_xlate_add(xl, " %" PRIu64 "/%s ",
            _rates[i-1].mult / avg, _rates[i-1].name);

I do not understand why "avg" is zero if the ruleset is listed by "nft"
and nonzero if listed by "iptables".

If i normalize the value of avg to 1, as shown in the following patch,
then the SIGFPE goes away, but the comment behind "ct state new" does not
correctly reflect the iptables ruleset:

--- iptables-1.8.7.orig/extensions/libxt_hashlimit.c
+++ iptables-1.8.7/extensions/libxt_hashlimit.c
@@ -1218,11 +1218,11 @@ static void print_packets_rate_xlate(str

    for (i = 1; i < ARRAY_SIZE(rates); ++i)
        if (avg > _rates[i].mult ||
-           _rates[i].mult / avg < _rates[i].mult % avg)
+           _rates[i].mult / (avg ? avg : 1) < _rates[i].mult % (avg ? avg : 1))
            break;

    xt_xlate_add(xl, " %" PRIu64 "/%s ",
-            _rates[i-1].mult / avg, _rates[i-1].name);
+            _rates[i-1].mult / (avg ? avg : 1), _rates[i-1].name);
 }

...
root at host:~# nft list chain ip6 filter INPUT
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		rt type 0 counter packets 0 bytes 0 drop
		iifname "lo" counter packets 88440 bytes 7891400 accept
		ct state invalid counter packets 14262 bytes 856362 drop
		ct state new # ! match-set ipv6_scanned_ports src,dst meter portscan { timeout 0s limit rate 10000/second  burst 0 packets} counter packets 4952 bytes 339382 # add-set ipv6_port_scanners src exist
...

   * What outcome did you expect instead?

I do not expect informational comments in "nft list ..." to reflect any
legacy/non-portable properties of an ip6tables ruleset, but i expect
"nft list ..." to list the effective nftables ruleset.

Kind regards,
Tilman

-- System Information:
Debian Release: 11.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.31-13
ii  libip4tc2                1.8.7-1
ii  libip6tc2                1.8.7-1
ii  libmnl0                  1.0.4-3
ii  libnetfilter-conntrack3  1.0.8-3
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.9-1
ii  libxtables12             1.8.7-1
ii  netbase                  6.3

Versions of packages iptables recommends:
ii  nftables  0.9.8-3.1

Versions of packages iptables suggests:
pn  firewalld  <none>
ii  kmod       28-1

-- no debconf information

More information about the pkg-netfilter-team mailing list