View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017023 | CentOS-8 | -OTHER | public | 2020-02-07 22:00 | 2020-03-06 19:14 |
| Reporter | trevor.vaughan | ||||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 8.1.1911 | ||||
| Target Version | Fixed in Version | ||||
| Summary | 0017023: nft segfaults on ipset with two networks | ||||
| Description | When configuring nftables via firewalld, a segfault is produced when providing an ipset with two hat:net networks as a source. Once this occurs, the system locks out all new external communication including SSH connectivity. | ||||
| Steps To Reproduce | The following test script can be used to reproduce the issue and view the results: ``` #!/bin/sh -x rm -rf /etc/firewalld/{zones,services,ipsets}/* systemctl restart firewalld firewall-cmd --list-all ipset_name='test' service_name='nfs_udp_ports' firewall-cmd --permanent --new-ipset=${ipset_name} --type=hash:net --family=inet firewall-cmd --permanent --ipset=${ipset_name} --add-entry=1.2.3.0/24 firewall-cmd --permanent --ipset=${ipset_name} --add-entry=2.3.0.0/16 firewall-cmd --permanent --new-service=${service_name} firewall-cmd --permanent --service=${service_name} --add-port=1111/udp --add-port=2049/udp --add-port=875/udp firewall-cmd --permanent --add-rich-rule="rule source ipset='${ipset_name}' service name='${service_name}' family='ipv4' accept" --zone public firewall-cmd --permanent --list-all systemctl restart firewalld journalctl -f ``` | ||||
| Additional Information | Kernel: kernel-4.18.0-147.3.1.el8_1.x86_64 Nftables: nftables-0.9.0-14.el8.x86_64 Journal message: Feb 07 21:52:56 centos8.test.net systemd[1]: Starting firewalld - dynamic firewall daemon... Feb 07 21:52:57 centos8.test.net systemd[1]: Started firewalld - dynamic firewall daemon. Feb 07 21:52:58 centos8.test.net kernel: nft[2550]: segfault at 2b058 ip 00007f0e0aa5e978 sp 00007fff67393738 error 4 in libgmp.so.10.3.2[7f0e0aa43000+96000] Feb 07 21:52:58 centos8.test.net kernel: Code: c1 48 29 c1 48 89 c8 75 44 4c 89 c2 48 8b 7f 08 48 8b 76 08 48 c1 fa 3f 48 89 d0 4c 31 c0 48 29 d0 eb 14 0f 1f 80 00 00 00 00 <48> 8b 14 c7 48 8b 0c c6 48 39 ca 75 1b 48 83 e8 01 48 83 f8 f> Feb 07 21:52:58 centos8.test.net systemd[1]: Started Process Core Dump (PID 2551/UID 0). Feb 07 21:52:58 centos8.test.net systemd-coredump[2552]: Resource limits disable core dumping for process 2550 (nft). Feb 07 21:52:58 centos8.test.net systemd-coredump[2552]: Process 2550 (nft) of user 0 dumped core. Feb 07 21:52:58 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed: Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed: Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: COMMAND_FAILED: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @test udp dport 1111 ct state new,untracked accept' failed: Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 07 21:52:59 centos8.test.net firewalld[2416]: ERROR: COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 07 21:52:59 centos8.test.net NetworkManager[1070]: <warn> [1581112379.2335] firewall: [0x560864533f20,change:"eth0"]: complete: request failed (COMMAND_FAILED: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname > insert rule inet firewalld raw_PREROUTING_ZONES iifname "eth0" goto raw_PRE_public ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) | ||||
| Tags | crash, firewalld, nftables | ||||
 |
https://bugzilla.redhat.com/show_bug.cgi?id=1802056 |
|
|
also reported here earlier https://bugs.centos.org/view.php?id=16518 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-02-07 22:00 | trevor.vaughan | New Issue | |
| 2020-02-07 22:00 | trevor.vaughan | Tag Attached: crash | |
| 2020-02-07 22:00 | trevor.vaughan | Tag Attached: firewalld | |
| 2020-02-07 22:00 | trevor.vaughan | Tag Attached: nftables | |
| 2020-03-06 19:13 | vladm | Note Added: 0036474 | |
| 2020-03-06 19:14 | vladm | Note Added: 0036475 |
