Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834799

Summary: net-firewall/nftables when running nft --terse with groups in rule causes segfault
Product: Gentoo Linux Reporter: Chris <caterry>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED UPSTREAM    
Severity: minor CC: jstein, kfm, klondike, prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info

Description Chris 2022-03-08 23:35:27 UTC
Created attachment 766614 [details]
emerge --info

When there are rules with multiple items in the line (ie
tpc dport { 80, 443 } log
 or 
ip saddr { 10.1.10.1, 10.1.10.250 } accept

and using the --terse option for nft (nft -t list ruleset)
results are printed up to the line before the group, the next line contains segfault, and no other lines are printed.
I noticed the problem with nftables-1.0.1-r2.
I installed nftables-1.0.1-r1 and did not have the issue.
I installed nftables-1.0.2-r1 and did not have the issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-08 23:38:00 UTC
The difference between 1.0.1-r1 and 1.0.1-r2 is really small: it just fixes the Python bindings (https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/nftables?id=bb71ed3992d7a0aa8bc221b4ee52dd4ef091d191, bug 832395).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-08 23:39:12 UTC
(In reply to Sam James from comment #1)
> The difference between 1.0.1-r1 and 1.0.1-r2 is really small: it just fixes
> the Python bindings
> (https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/
> nftables?id=bb71ed3992d7a0aa8bc221b4ee52dd4ef091d191, bug 832395).

Sorry, even less: https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/nftables?id=a90213e9289ee8d04a062c163158b70e92f8db16.

Nothing changed in the codebase. Just added a := dep on iptables to get rebuilt when its ABI changes.
Comment 3 kfm 2022-05-31 22:17:58 UTC
Version 1.0.1 introduced a regression affecting the combination of --terse and anonymous sets that 1.0.2 resolved by way of the following commit.

https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947

Assuming that there are no further complaints, I would suggest closing this bug.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-31 23:10:34 UTC
(In reply to Kerin Millar from comment #3)
> Version 1.0.1 introduced a regression affecting the combination of --terse
> and anonymous sets that 1.0.2 resolved by way of the following commit.
> 
> https://git.netfilter.org/nftables/commit/
> ?id=8492878961248b4b53fa97383c7c1b15d7062947
> 
> Assuming that there are no further complaints, I would suggest closing this
> bug.

Thanks.