netfilter buglog - Jul 2023 - [Bug 1692] New: CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush

https://bugzilla.netfilter.org/show_bug.cgi?id=1692

            Bug ID: 1692
           Summary: CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 -
                    nftables hangs the system on set flush
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: ivan.agarkov at gmail.com

Created attachment 719
  --> https://bugzilla.netfilter.org/attachment.cgi?id=719&action=edit
nftables config

Environment
- CentOS 7 kernel 3.10.0-1160.92.1.el7.x86_64 ( also tested 2 kernels back )
- Both HW & VM

Steps to reproduce:
1. Apply attached nftables config
2. Run ( as root )
while true; do sudo nft add element ip test allow { 127.0.0.2 }; sudo nft flush
set ip test allow; echo -n .; done
3. Wait

Expected behavior:
- It works

Experienced behavior:
- After a few cycles the system hangs and I need to press reboot make it work

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230706/1fc9a15d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1692

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Ivan,

A few remarks from my side:

1. Unless you can reproduce this with a vanilla kernel (from Linus or stable),
this is a downstream issue and should be reported to whoever maintains the
CentOS7 kernel (I guess nobody?).

2. You're running sudo as root?

3. If 127.0.0.2 is actively used, you may block yourself by accident. Did you
try the same with an IP address from a certainly unused network?

Cheers, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230707/01ea0351/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1692

--- Comment #2 from Ivan Agarkov <ivan.agarkov at gmail.com> ---
1. Yep, I'll double this bug to CentOS as well.
2. This doesn't matter, I just copied it from another console to not show
production server addresses
3. Same for 127.0.0.2, no, I won't block myself.

The idea behind this bug is quite simple: flushing nftables set makes kernel
hang out.
If there're no set in the rules - the bug is not triggered.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230714/64216179/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1692

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |fw at strlen.de

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230913/bdac5b69/attachment.html>