netfilter buglog - Feb 2020 - [Bug 1407] New: Segfault with iptables-nft-restore when flush rules included

https://bugzilla.netfilter.org/show_bug.cgi?id=1407

            Bug ID: 1407
           Summary: Segfault with iptables-nft-restore when flush rules
                    included
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables over nftable
          Assignee: pablo at netfilter.org
          Reporter: alb.molina at gmail.com

Forwarded from Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950535

A user reported a segfault with the next ruleset using iptables-nft-restore:

*nat
-F PREROUTING
-A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-ports 1194
-F PREROUTING
-F POSTROUTING
COMMIT

I wonder with the inclusion of '-F' rules, but after some tests I can
confirm
the segfault with iptables-nft-restore in several iptables releases (1.8.2,
1.8.3 and 1.8.4) while iptables-legacy-restore executes it without a segfault.

The user reported the ruleset was obtained from ufw [1], but according to a
conversation with ufw's creator, this program doesn't include any
'-F' rules in
the nat table, so it seems a customization and accidental inclusion of those
rules.

In any case, I considered that this behaviour should be reported upstream.

Regards,

Alberto

[1] https://launchpad.net/ufw

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200216/3ea14ff8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1407

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |phil at nwl.cc

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Still broken in git.

IIRC, I posted a patchset that fixes.

Cc'ing Phil.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/3f7b46d8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1407

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Phil Sutter <phil at nwl.cc> ---
Fixed in commit 5bd3ab5c77803 ("nft: Fix for '-F' in iptables
dumps"), will go
in 1.8.5 release.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200529/e3749b1d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1407

--- Comment #3 from Alberto Molina Coballes <alb.molina at gmail.com> ---
Thanks Phil,

I'm updating the original bug in Debian with this info.

Regards,

Alberto

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200531/d70740f1/attachment-0001.html>