[pkg-netfilter-team] Bug#1040636: nftables: nft stuck when the first adding a rule with named-set and log option

Nobuhiro Kikuchi ccmint at gmail.com
Sat Jul 8 09:18:51 BST 2023 

Package: nftables
Version: 1.0.6-2
Severity: normal

Dear Maintainer,

nft command stuck when first adding a rule with named-set and log option.
This issue is reproduced by following steps.

1. Disable /etc/nftables.conf at boot time.
  (eg. systemctl disable nftables.service)...default setting

2. Log in and run the following commands in order.
  nft flush ruleset
  nft add table ip filter
  nft 'add set ip filter block-ipv4 { type ipv4_addr; counter; flags
interval; }'
  nft add element ip filter block-ipv4 { 192.0.2.0 }
  nft 'create chain ip filter input { type filter hook input priority 0; }'
  nft add rule ip filter input ip saddr @block-ipv4 counter log drop

It does not return to the prompt after entering the last command "nft
add rule ...".
The following kernel messages are logged.

-----
[  326.355226] list_add corruption. prev->next should be next
(ffff9c0cc123b810), but was 0000000000000000. (prev=ffff9c0ceb48d9c0).
[  326.355302] ------------[ cut here ]------------
[  326.355303] kernel BUG at lib/list_debug.c:30!
[  326.355314] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[  326.355322] CPU: 0 PID: 768 Comm: nft Not tainted 6.1.0-10-amd64 #1
 Debian 6.1.37-1
[  326.355331] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  326.355342] RIP: 0010:__list_add_valid.cold+0x3a/0x5b
[  326.355354] Code: f2 48 89 c1 48 89 fe 48 c7 c7 b0 8e 35 af e8 de
a6 fe ff 0f 0b 48 89 d1 48 89 c6 4c 89 c2 48 c7 c7 58 8e 35 af e8 c7
a6 fe ff <0f> 0b 48 89 c1 48 c7 c7 00 8e 35 af e8 b6 a6 fe ff 0f 0b 48
c7 c7
[  326.355372] RSP: 0018:ffffa92b42f777e8 EFLAGS: 00010246
[  326.355380] RAX: 0000000000000075 RBX: ffff9c0cc123b800 RCX: 0000000000000000
[  326.355388] RDX: 0000000000000000 RSI: ffffffffaf34105e RDI: 00000000ffffffff
[  326.355396] RBP: ffff9c0ceb48d9c0 R08: 0000000000000000 R09: ffffa92b42f77680
[  326.355403] R10: 0000000000000003 R11: ffff9c0d3ffc3de8 R12: ffff9c0ceb48d9c0
[  326.355411] R13: ffff9c0cc123b810 R14: ffffa92b42f778b8 R15: ffff9c0cc6e60000
[  326.355419] FS:  00007f5de77c7740(0000) GS:ffff9c0d3be00000(0000)
knlGS:0000000000000000
[  326.355427] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  326.355434] CR2: 00007fba0ab3cb20 CR3: 000000002adc6000 CR4: 0000000000350ef0
[  326.355443] Call Trace:
[  326.355450]  <TASK>
[  326.355457]  ? __die_body.cold+0x1a/0x1f
[  326.355466]  ? die+0x2a/0x50
[  326.355473]  ? do_trap+0xc5/0x110
[  326.355481]  ? __list_add_valid.cold+0x3a/0x5b
[  326.355490]  ? do_error_trap+0x6a/0x90
[  326.355497]  ? __list_add_valid.cold+0x3a/0x5b
[  326.355505]  ? exc_invalid_op+0x4c/0x60
[  326.355512]  ? __list_add_valid.cold+0x3a/0x5b
[  326.355519]  ? asm_exc_invalid_op+0x16/0x20
[  326.355527]  ? __list_add_valid.cold+0x3a/0x5b
[  326.355535]  ? __list_add_valid.cold+0x3a/0x5b
[  326.355543]  nf_tables_bind_set+0xff/0x170 [nf_tables]
[  326.355654]  nft_lookup_init+0xcf/0x130 [nf_tables]
[  326.356222]  nf_tables_newrule+0x4a2/0xbf0 [nf_tables]
[  326.357196]  ? skb_clone+0x55/0xd0
[  326.358163]  nfnetlink_rcv_batch+0x5df/0x9a0 [nfnetlink]
[  326.359019]  nfnetlink_rcv+0x175/0x193 [nfnetlink]
[  326.359236]  netlink_unicast+0x23f/0x390
[  326.359786]  netlink_sendmsg+0x250/0x4c0
[  326.360374]  sock_sendmsg+0x5c/0x70
[  326.360484]  ____sys_sendmsg+0x277/0x2f0
[  326.360589]  ? copy_msghdr_from_user+0x7d/0xc0
[  326.360692]  ___sys_sendmsg+0x9a/0xe0
[  326.360793]  ? sk_getsockopt+0x7ed/0x1000
[  326.360890]  __sys_sendmsg+0x76/0xc0
[  326.360983]  do_syscall_64+0x58/0xc0
[  326.361074]  ? fpregs_assert_state_consistent+0x22/0x50
[  326.361165]  ? exit_to_user_mode_prepare+0x40/0x1d0
[  326.361257]  ? syscall_exit_to_user_mode+0x17/0x40
[  326.361347]  ? do_syscall_64+0x67/0xc0
[  326.361433]  ? fpregs_assert_state_consistent+0x22/0x50
[  326.361521]  ? exit_to_user_mode_prepare+0x40/0x1d0
[  326.361607]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  326.361692] RIP: 0033:0x7f5de7a0e8d0
[  326.361775] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 66
2e 0f 1f 84 00 00 00 00 00 90 80 3d 11 fd 0c 00 00 74 17 b8 2e 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28
89 54
[  326.362043] RSP: 002b:00007ffdfb377988 EFLAGS: 00000202 ORIG_RAX:
000000000000002e
[  326.362142] RAX: ffffffffffffffda RBX: 00007ffdfb388b80 RCX: 00007f5de7a0e8d0
[  326.362243] RDX: 0000000000000000 RSI: 00007ffdfb388a30 RDI: 0000000000000003
[  326.362346] RBP: 00007ffdfb388b30 R08: 00007ffdfb377964 R09: 000055c25b501a30
[  326.362448] R10: 00007f5de7bf5f00 R11: 0000000000000202 R12: 000055c25b4ffb50
[  326.362551] R13: 0000000000000400 R14: 00007ffdfb3779a0 R15: 0000000000000001
[  326.362656]  </TASK>
[  326.362758] Modules linked in: nf_log_syslog nft_log nf_tables
libcrc32c nfnetlink intel_rapl_msr intel_rapl_common intel_pmc_core
ghash_clmulni_intel sha512_ssse3 sha512_generic aesni_intel
vsock_loopback vmw_vsock_virtio_transport_common crypto_simd cryptd
rapl vmw_vsock_vmci_transport vmwgfx vmw_balloon vsock drm_ttm_helper
ttm pcspkr drm_kms_helper vmw_vmci button ac evdev joydev serio_raw sg
loop dm_mod fuse drm efi_pstore configfs ip_tables x_tables autofs4
ext4 crc16 mbcache jbd2 crc32c_generic sd_mod t10_pi crc64_rocksoft
crc64 crc_t10dif crct10dif_generic sr_mod cdrom ata_generic
crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ata_piix
mptspi mptscsih psmouse mptbase scsi_transport_spi libata scsi_mod
e1000 i2c_piix4 scsi_common
[  326.363764] ---[ end trace 0000000000000000 ]---
[  326.363879] RIP: 0010:__list_add_valid.cold+0x3a/0x5b
[  326.363981] Code: f2 48 89 c1 48 89 fe 48 c7 c7 b0 8e 35 af e8 de
a6 fe ff 0f 0b 48 89 d1 48 89 c6 4c 89 c2 48 c7 c7 58 8e 35 af e8 c7
a6 fe ff <0f> 0b 48 89 c1 48 c7 c7 00 8e 35 af e8 b6 a6 fe ff 0f 0b 48
c7 c7
[  326.364281] RSP: 0018:ffffa92b42f777e8 EFLAGS: 00010246
[  326.364384] RAX: 0000000000000075 RBX: ffff9c0cc123b800 RCX: 0000000000000000
[  326.364489] RDX: 0000000000000000 RSI: ffffffffaf34105e RDI: 00000000ffffffff
[  326.364594] RBP: ffff9c0ceb48d9c0 R08: 0000000000000000 R09: ffffa92b42f77680
[  326.364700] R10: 0000000000000003 R11: ffff9c0d3ffc3de8 R12: ffff9c0ceb48d9c0
[  326.364807] R13: ffff9c0cc123b810 R14: ffffa92b42f778b8 R15: ffff9c0cc6e60000
[  326.364961] FS:  00007f5de77c7740(0000) GS:ffff9c0d3be00000(0000)
knlGS:0000000000000000
[  326.365071] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  326.365180] CR2: 00007fba0ab3cb20 CR3: 000000002adc6000 CR4: 0000000000350ef0
-----

Best Regards,

-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  libc6         2.36-9
ii  libedit2      3.1-20221030-2
ii  libnftables1  1.0.6-2

Versions of packages nftables recommends:
ii  netbase  6.4

Versions of packages nftables suggests:
pn  firewalld  <none>

-- no debconf information

More information about the pkg-netfilter-team mailing list