bugzilla-daemon at netfilter.org
2023-Jul-06 20:21 UTC
[Bug 1692] New: CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush
https://bugzilla.netfilter.org/show_bug.cgi?id=1692
Bug ID: 1692
Summary: CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 -
nftables hangs the system on set flush
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: blocker
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: ivan.agarkov at gmail.com
Created attachment 719
--> https://bugzilla.netfilter.org/attachment.cgi?id=719&action=edit
nftables config
Environment
- CentOS 7 kernel 3.10.0-1160.92.1.el7.x86_64 ( also tested 2 kernels back )
- Both HW & VM
Steps to reproduce:
1. Apply attached nftables config
2. Run ( as root )
while true; do sudo nft add element ip test allow { 127.0.0.2 }; sudo nft flush
set ip test allow; echo -n .; done
3. Wait
Expected behavior:
- It works
Experienced behavior:
- After a few cycles the system hangs and I need to press reboot make it work
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230706/1fc9a15d/attachment.html>
bugzilla-daemon at netfilter.org
2023-Jul-07 09:28 UTC
[Bug 1692] CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush
https://bugzilla.netfilter.org/show_bug.cgi?id=1692
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Ivan,
A few remarks from my side:
1. Unless you can reproduce this with a vanilla kernel (from Linus or stable),
this is a downstream issue and should be reported to whoever maintains the
CentOS7 kernel (I guess nobody?).
2. You're running sudo as root?
3. If 127.0.0.2 is actively used, you may block yourself by accident. Did you
try the same with an IP address from a certainly unused network?
Cheers, Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230707/01ea0351/attachment.html>
bugzilla-daemon at netfilter.org
2023-Jul-14 11:58 UTC
[Bug 1692] CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush
https://bugzilla.netfilter.org/show_bug.cgi?id=1692 --- Comment #2 from Ivan Agarkov <ivan.agarkov at gmail.com> --- 1. Yep, I'll double this bug to CentOS as well. 2. This doesn't matter, I just copied it from another console to not show production server addresses 3. Same for 127.0.0.2, no, I won't block myself. The idea behind this bug is quite simple: flushing nftables set makes kernel hang out. If there're no set in the rules - the bug is not triggered. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230714/64216179/attachment.html>
bugzilla-daemon at netfilter.org
2023-Sep-13 12:10 UTC
[Bug 1692] CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush
https://bugzilla.netfilter.org/show_bug.cgi?id=1692
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |fw at strlen.de
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230913/bdac5b69/attachment.html>
bugzilla-daemon at netfilter.org
2024-Sep-10 22:08 UTC
[Bug 1692] CentOS 7 kernel up to 3.10.0-1160.92.1.el7.x86_64 - nftables hangs the system on set flush
https://bugzilla.netfilter.org/show_bug.cgi?id=1692
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |INVALID
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240910/1c1dae08/attachment.html>
Apparently Analagous Threads
- [Bug 1294] New: Strange --probability behavior
- [Bug 1152] New: iptables-xml crashed on -D rules
- [Bug 1099] New: Minor typo in wiki.nftables.org
- [Bug 1210] New: nftables gets confused by user namespaces when meta skuid is used
- [Bug 1735] New: Adding nftables interval sets progressively gets slower and makes the nft CLI less responsive with each added set