View Issue Details

IDProjectCategoryView StatusLast Update
0017023CentOS-8-OTHERpublic2020-03-06 19:14
Reportertrevor.vaughan 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017023: nft segfaults on ipset with two networks
DescriptionWhen configuring nftables via firewalld, a segfault is produced when providing an ipset with two hat:net networks as a source. Once this occurs, the system locks out all new external communication including SSH connectivity.

Steps To ReproduceThe following test script can be used to reproduce the issue and view the results:

```
#!/bin/sh -x
rm -rf /etc/firewalld/{zones,services,ipsets}/*
systemctl restart firewalld
firewall-cmd --list-all
ipset_name='test'
service_name='nfs_udp_ports'
firewall-cmd --permanent --new-ipset=${ipset_name} --type=hash:net --family=inet
firewall-cmd --permanent --ipset=${ipset_name} --add-entry=1.2.3.0/24
firewall-cmd --permanent --ipset=${ipset_name} --add-entry=2.3.0.0/16
firewall-cmd --permanent --new-service=${service_name}
firewall-cmd --permanent --service=${service_name} --add-port=1111/udp --add-port=2049/udp --add-port=875/udp
firewall-cmd --permanent --add-rich-rule="rule source ipset='${ipset_name}' service name='${service_name}' family='ipv4' accept" --zone public
firewall-cmd --permanent --list-all
systemctl restart firewalld
journalctl -f
```
Additional InformationKernel: kernel-4.18.0-147.3.1.el8_1.x86_64
Nftables: nftables-0.9.0-14.el8.x86_64

Journal message:

Feb 07 21:52:56 centos8.test.net systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 07 21:52:57 centos8.test.net systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 07 21:52:58 centos8.test.net kernel: nft[2550]: segfault at 2b058 ip 00007f0e0aa5e978 sp 00007fff67393738 error 4 in libgmp.so.10.3.2[7f0e0aa43000+96000]
Feb 07 21:52:58 centos8.test.net kernel: Code: c1 48 29 c1 48 89 c8 75 44 4c 89 c2 48 8b 7f 08 48 8b 76 08 48 c1 fa 3f 48 89 d0 4c 31 c0 48 29 d0 eb 14 0f 1f 80 00 00 00 00 <48> 8b 14 c7 48 8b 0c c6 48 39 ca 75 1b 48 83 e8 01 48 83 f8 f>
Feb 07 21:52:58 centos8.test.net systemd[1]: Started Process Core Dump (PID 2551/UID 0).
Feb 07 21:52:58 centos8.test.net systemd-coredump[2552]: Resource limits disable core dumping for process 2550 (nft).
Feb 07 21:52:58 centos8.test.net systemd-coredump[2552]: Process 2550 (nft) of user 0 dumped core.
Feb 07 21:52:58 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed:
Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed:
Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: COMMAND_FAILED: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed:
Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
                                                  insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
                                                  insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
                                                  insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 07 21:52:59 centos8.test.net NetworkManager[1070]: <warn> [1581112379.2335] firewall: [0x560864533f20,change:"eth0"]: complete: request failed (COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname >
                                                       insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public
                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                       )
Tagscrash, firewalld, nftables

Activities

vladm

vladm

2020-03-06 19:13

reporter   ~0036474

https://bugzilla.redhat.com/show_bug.cgi?id=1802056
vladm

vladm

2020-03-06 19:14

reporter   ~0036475

also reported here earlier
https://bugs.centos.org/view.php?id=16518

Issue History

Date Modified Username Field Change
2020-02-07 22:00 trevor.vaughan New Issue
2020-02-07 22:00 trevor.vaughan Tag Attached: crash
2020-02-07 22:00 trevor.vaughan Tag Attached: firewalld
2020-02-07 22:00 trevor.vaughan Tag Attached: nftables
2020-03-06 19:13 vladm Note Added: 0036474
2020-03-06 19:14 vladm Note Added: 0036475