bugzilla-daemon at netfilter.org
2017-Dec-25 18:27 UTC
[Bug 1206] New: segfault when snat map rule has been added
https://bugzilla.netfilter.org/show_bug.cgi?id=1206
Bug ID: 1206
Summary: segfault when snat map rule has been added
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: cho at solveit.dk
System information:
System is running on quemu/KVM
Ubuntu 16.04
root at fwr01:~# uname -a
Linux fwr01 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
root at fwr01:~# nft -v
nftables v0.5 (Support Edward Snowden)
What happens:
The ruleset is able to load the first time, after that nft segfaults when
doing "nft -f /etc/nftables.conf"
This only happens, when this line is in the ruleset "snat ip saddr map
{
10.0.0.5 : 192.168.200.6, 10.0.0.0/24 : 192.168.200.7 }"
If a ruleset with the above mentioned line has been loaded then calls after
that will segfault ex. "nft -f /etc/nftables.conf" or "nft list
ruleset" will
segfault.
gdb backtrace:
Starting program: /usr/sbin/nft -f /etc/nftables.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 876) exited normally]
(gdb) bt
No stack.
(gdb) r -f /etc/nftables.conf
Starting program: /usr/sbin/nft -f /etc/nftables.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7502c34 in __gmpz_sub () from
/usr/lib/x86_64-linux-gnu/libgmp.so.10
(gdb) bt
#0 0x00007ffff7502c34 in __gmpz_sub () from
/usr/lib/x86_64-linux-gnu/libgmp.so.10
#1 0x000000000041a80e in ?? ()
#2 0x000000000041500c in ?? ()
#3 0x00000000004076fe in ?? ()
#4 0x000000000040fb2a in ?? ()
#5 0x0000000000427ba5 in ?? ()
#6 0x000000000040652d in ?? ()
#7 0x000000000040614f in ?? ()
#8 0x00007ffff7137830 in __libc_start_main (main=0x405e60, argc=3,
argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe658)
at ../csu/libc-start.c:291
#9 0x0000000000406429 in ?? ()
Rulesets:
/etc/nftables.conf:
flush ruleset
include "/etc/nftables/setups/peter_client.nft"
table inet filter {
chain default {
ct state established,related accept
ct state invalid drop
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
udp dport 53 accept
}
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# Run default setup
jump default
# activate the following line to accept common local services
tcp dport { 22, 80, 443 } ct state new accept
}
chain output {
type filter hook output priority 0; policy drop;
jump default
}
chain forward {
type filter hook forward priority 0; policy drop;
jump default
# Run forward chain from peter_client
jump peter_client_forward
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
jump peter_client_prerouting
}
chain postrouting {
type nat hook postrouting priority 100;
jump peter_client_postrouting
}
}
/etc/nftables/setups/peter_client.nft:
# Setup NIC
define peter_client_out_nic = ens8
# Define range(s)
define peter_client_int_range = 10.0.0.0/24
# Define machines
define peter_client_int_server01 = 10.0.0.5
# Define external addresses
define peter_client_ext_addr01 = 192.168.200.6
define peter_client_ext_addr02 = 192.168.200.7
table inet filter {
chain peter_client_in {
tcp dport http accept
ip saddr 192.168.2.46 tcp dport ssh accept
}
chain peter_client_out {
tcp dport {http, https} ct state new accept
}
chain peter_client_forward {
ip saddr $peter_client_int_range jump peter_client_out
ip daddr $peter_client_int_range jump peter_client_in
}
}
table ip nat {
chain peter_client_prerouting {
dnat ip daddr map { $peter_client_ext_addr01 :
$peter_client_int_server01 }
}
chain peter_client_postrouting {
snat ip saddr map { 10.0.0.5 : 192.168.200.7, 10.0.0.0/24 :
192.168.200.6 }
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171225/a99e1b9e/attachment.html>
bugzilla-daemon at netfilter.org
2017-Dec-25 18:27 UTC
[Bug 1206] segfault when snat map rule has been added
https://bugzilla.netfilter.org/show_bug.cgi?id=1206
Christian Hoffbeck <cho at solveit.dk> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cho at solveit.dk
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171225/5d03fa8b/attachment.html>
bugzilla-daemon at netfilter.org
2017-Dec-26 15:23 UTC
[Bug 1206] segfault when snat map rule has been added
https://bugzilla.netfilter.org/show_bug.cgi?id=1206
Christian Hoffbeck <cho at solveit.dk> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Christian Hoffbeck <cho at solveit.dk> ---
Issue has been resolved by update to version nft 0.7
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171226/11322fdd/attachment.html>