netfilter buglog - Oct 2018 - [Bug 1282] New: SIGSEGV on loading tables

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

            Bug ID: 1282
           Summary: SIGSEGV on loading tables
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: pawel.krawczyk at hush.com

Created attachment 549
  --> https://bugzilla.netfilter.org/attachment.cgi?id=549&action=edit
strace with kernel response

The following configuration crashes nftables. I run "nft -e -f
main.conf" and
nft crashes, apparently on response from kernel (strace attached). When I run
without -e option it just silently fails.

#!/usr/sbin/nft -f

add table inet main

add set inet main  tcp_public { type inet_service; }
add set inet main  udp_public { type inet_service; }

add set inet main  udp_trusted { type inet_service; }
add set inet main  tcp_trusted { type inet_service; }

add set inet  main blacklist { type ipv4_addr; flags interval; }
add set inet  main ossec4 { type ipv4_addr; }
add set inet main ossec6 { type ipv6_addr; }

add set inet main trusted6 { type ipv6_addr; flags interval; }
add set inet main trusted4 { type ipv4_addr; }

add element  inet main  tcp_public { ssh }
add element  inet main  udp_trusted { ntp }

# otto delegated_ipv6
add element inet main trusted6 { 2a01:4f8:13b:29a3::/64 }
    # asus delegated_ipv6
add element inet main trusted6 { 2a02:390:79ef::/48 }
    # worker delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:6d6c::/64 }
    # worker2 delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:76dd::/64 }
    # nadia ansible_default_ipv6
add element inet main trusted6 { 2607:fcd0:0:33:1234:1234:1201:f7 }
    # tyler delegated_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:7d3::/64 }
    # ubuntu ansible_default_ipv6
add element inet main trusted6 { 2a01:4f8:1c1c:45c1::1 }

add element inet main trusted4 { 94.130.162.156 }
    add element inet main trusted4 { 91.135.7.108 }
    add element inet main trusted4 { 159.69.148.50 }
    add element inet main trusted4 { 159.69.156.79 }
    add element inet main trusted4 { 98.143.148.171 }
    add element inet main trusted4 { 159.69.33.57 }
    add element inet main trusted4 { 159.69.146.174 }







chain inet main input {
    type filter hook input priority 50; policy drop
    iifname lo accept

    ip6 saddr @ossec6 ct state new counter log prefix "OSSEC6 " drop
    ip  saddr @ossec4 ct state new counter log prefix "OSSEC4 " drop
    ip  saddr @blacklist tcp dport ssh ct state new counter log prefix
"BLACKLIST " drop

    tcp dport @tcp_public ct state new counter accept
    udp dport @udp_public ct state new counter accept

    ct state established,related counter accept

    ip protocol icmp counter accept
    ip6 nexthdr ipv6-icmp accept

    ip saddr @trusted4 ip protocol esp ct state new counter accept
    ip saddr @trusted4 tcp dport @tcp_trusted ct state new counter accept
    ip saddr @trusted4 udp dport @udp_trusted ct state new counter accept

    ip6 saddr @trusted6 ip6 nexthdr esp counter accept
    ip6 saddr @trusted6 tcp dport @tcp_trusted ct state new counter accept
    ip6 saddr @trusted6 udp dport @udp_trusted ct state new counter accept
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181016/0bbb95f3/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

pawel.krawczyk at hush.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pawel.krawczyk at hush.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181016/6ade5daa/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

--- Comment #1 from pawel.krawczyk at hush.com ---
It's interesting that it fails in a way that leaves an empty chain:

chain inet main input {
    type filter hook input priority 50; policy drop
}

Which is how I first experienced the bug, being cut off from the server.

When the chain {} block is converted to a series of "add rule"
statements, it
all works as expected.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181016/b36d490c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I cannot reproduce this with nft snapshot from git.netfilter.org. Works fine
here.

What nft version are you using?

Thanks for reporting!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181017/755eb032/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

--- Comment #3 from pawel.krawczyk at hush.com ---
# nft --version
nftables v0.8 (Joe Btfsplk)

Default version in CentOS 7. It generally behaves in weird way, for example it
can process a file using "nft -f main.conf" without any errors, but
then nft
list ruleset shows empty ruleset, like it did not load anything at all. On the
other hand it works when doing "nft -i <main.conf".

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181017/d8448aae/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please upgrade, that is very old version, latest is 0.9.0 and we'll likely
have
a new release soon.

Are you using standard CentOS kernel? I'm afraid that is old too.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181018/5f63c6ca/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

--- Comment #5 from pawel.krawczyk at hush.com ---
Hi Pablo, this is vanilla CentOS 7 package and kernel and I agree it's very
old. I don't run CentOS, I just wanted to give it a try on a RPM-based
system.
Just FYI the vanilla nftables in latest Fedora and Ubuntu work just great.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181018/3ccdccd9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1282

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
                 CC|                            |fw at strlen.de
         Resolution|---                         |WORKSFORME

--- Comment #6 from Florian Westphal <fw at strlen.de> ---
seems current versions are fine, so closing this one.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/204016b4/attachment.html>