bugzilla-daemon at netfilter.org
2020-Oct-14 14:35 UTC
[Bug 1476] New: xtables-monitor --trace segfaults running inside a container
https://bugzilla.netfilter.org/show_bug.cgi?id=1476 Bug ID: 1476 Summary: xtables-monitor --trace segfaults running inside a container Product: bugzilla Version: other Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: netfilter bugzilla Assignee: netfilter-buglog at lists.netfilter.org Reporter: antonio.ojea.garcia at gmail.com Created attachment 610 --> https://bugzilla.netfilter.org/attachment.cgi?id=610&action=edit xtrace-monitor coredump Server: CentOS Linux release 8.2.2004 (Core) iptables v1.8.4 (nf_tables) docker-ce-19.03.13-3.el7.x86_64 docker-ce-cli-19.03.13-3.el7.x86_64 kind v0.9.0 https://github.com/kubernetes-sigs/kind I'm running Kubernetes inside containers with KIND, this has several layers of "virtualization". Docker install iptables rules in the host and the container, and kubernetes install rules inside the containers only. I've updated the system recently, and I don't remember if it was using always nf_tables, but, if I dump the rules in the host and in the container, it always have the # Warning: iptables-legacy tables present, use iptables-legacy-save to see them However, the host does not have iptables-legacy-save iptables-libs-1.8.4-10.el8_2.1.x86_64 iptables-ebtables-1.8.4-10.el8_2.1.x86_64 iptables-1.8.4-10.el8_2.1.x86_64 I've tried to debug some iptables problems inside the container, enabling the corresponding modules: modprobe -v ipt_LOG modprobe -v nf_log_ipv4 ,setting the sysctl parameters: sysctl net.netfilter.nf_log.2=nf_log_ipv4 net.netfilter.nf_log_all_netns=1 and adding the corresponding rules: iptables-nft -L -t raw Chain PREROUTING (policy ACCEPT) target prot opt source destination TRACE udp -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination TRACE udp -- anywhere anywhere # Warning: iptables-legacy tables present, use iptables-legacy to see them I ran this in another system to double check, and it was using Fedora 32 that uses iptables-legacy and it worked, but for this system seems I have to use xtables-monitor --trace (Thanks to Florian Westphal for the clarification) When I run xtables-monitor --trace inside the container, after one packets hit the rules it segfaults. The kernel logs show traces and the segfault 12658.438467] xtables-monitor[184521]: segfault at 98 ip 0000560c19b67046 sp 00007ffd4f203e40 error 4 in xtables-nft-multi[560c19b5d000+1e000] [12658.438473] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89 e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96 98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85 [16522.113016] TRACE: nat:PREROUTING:policy:1 IN=veth6f7f5ae7 OUTMAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=10.96.242.56 LEN=37 TOS=0x00 PREC=0x00 TTL=64 ID=28360 DF PROTO=UDP SPT=53378 DPT=80 LEN=17 [16522.113038] TRACE: filter:FORWARD:policy:1 IN=veth6f7f5ae7 OUT=eth0 MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4 LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080 LEN=17 [16522.113053] TRACE: nat:POSTROUTING:policy:1 IN=veth6f7f5ae7 OUT=eth0 MAC=0a:46:a2:15:8d:af:3e:78:00:c7:5d:f8:08:00 SRC=10.244.2.2 DST=172.19.0.4 LEN=37 TOS=0x00 PREC=0x00 TTL=63 ID=28360 DF PROTO=UDP SPT=53378 DPT=8080 LEN=17 [16522.113098] xtables-monitor[233587]: segfault at 98 ip 000055a8dd8a3046 sp 00007fff8685bba0 error 4 in xtables-nft-multi[55a8dd899000+1e000] [16522.113103] Code: 8d 7c 24 10 e8 cb 79 ff ff 48 8d 7c 24 10 4c 89 fa 4c 89 e6 48 89 44 24 08 b9 24 00 00 00 31 c0 4c 8b 75 58 f3 48 ab 48 89 ef <41> ff 96 98 00 00 00 41 f7 c5 02 04 00 00 75 0e 49 8b 46 68 48 85 [16522.113185] TRACE: filter:FORWARD:policy:1 IN=eth0 OUT=veth6f7f5ae7 MAC=02:42:ac:13:00:02:02:42:ac:13:00:04:08:00 SRC=172.19.0.4 DST=10.244.2.2 LEN=39 TOS=0x00 PREC=0x00 TTL=63 ID=17515 DF PROTO=UDP SPT=8080 DPT=53378 LEN=19 I think that his is somehow related to a similar bug I've opened some months ago, this time in Ubuntu https://bugzilla.netfilter.org/show_bug.cgi?id=1435 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201014/39c8b7d5/attachment.html>
Possibly Parallel Threads
- [Bug 1476] xtables-monitor --trace segfaults running inside a container
- [announce] Xtables-addons 1.5.4
- [Bug 989] New: Deprecated function gethostbyaddr used in xtables
- [Bug 1108] New: Need a new release to build nftables --with-xtables
- Centos 6.9 Ipset broken after installing xtables-addon