Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834799 - net-firewall/nftables when running nft --terse with groups in rule causes segfault
Summary: net-firewall/nftables when running nft --terse with groups in rule causes seg...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal minor (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-08 23:35 UTC by Chris
Modified: 2022-05-31 23:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emergeinfo,5.59 KB, text/plain)
2022-03-08 23:35 UTC, Chris
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chris 2022-03-08 23:35:27 UTC
Created attachment 766614 [details]
emerge --info

When there are rules with multiple items in the line (ie
tpc dport { 80, 443 } log
 or 
ip saddr { 10.1.10.1, 10.1.10.250 } accept

and using the --terse option for nft (nft -t list ruleset)
results are printed up to the line before the group, the next line contains segfault, and no other lines are printed.
I noticed the problem with nftables-1.0.1-r2.
I installed nftables-1.0.1-r1 and did not have the issue.
I installed nftables-1.0.2-r1 and did not have the issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-08 23:38:00 UTC
The difference between 1.0.1-r1 and 1.0.1-r2 is really small: it just fixes the Python bindings (https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/nftables?id=bb71ed3992d7a0aa8bc221b4ee52dd4ef091d191, bug 832395).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-08 23:39:12 UTC
(In reply to Sam James from comment #1)
> The difference between 1.0.1-r1 and 1.0.1-r2 is really small: it just fixes
> the Python bindings
> (https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/
> nftables?id=bb71ed3992d7a0aa8bc221b4ee52dd4ef091d191, bug 832395).

Sorry, even less: https://gitweb.gentoo.org/repo/gentoo.git/commit/net-firewall/nftables?id=a90213e9289ee8d04a062c163158b70e92f8db16.

Nothing changed in the codebase. Just added a := dep on iptables to get rebuilt when its ABI changes.
Comment 3 Kerin Millar 2022-05-31 22:17:58 UTC
Version 1.0.1 introduced a regression affecting the combination of --terse and anonymous sets that 1.0.2 resolved by way of the following commit.

https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947

Assuming that there are no further complaints, I would suggest closing this bug.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-31 23:10:34 UTC
(In reply to Kerin Millar from comment #3)
> Version 1.0.1 introduced a regression affecting the combination of --terse
> and anonymous sets that 1.0.2 resolved by way of the following commit.
> 
> https://git.netfilter.org/nftables/commit/
> ?id=8492878961248b4b53fa97383c7c1b15d7062947
> 
> Assuming that there are no further complaints, I would suggest closing this
> bug.

Thanks.