Package: nftables Version: 0.9.8-3.1 Severity: important Tags: upstream Dear Maintainer,
We have 4 computers running Debian 11 that use firewalld. Every 30 minutes, these run a configuration management tool as scheduled job that applies the firewall configuration (and overwrites any manual changes). In the past 13 weeks, this job experienced 8 segmentation faults at random moments. The desired firewall configuration did not change on the days of the crashes, the job only recreates certain nftables rules. After the crash, the firewall remains in a state that rejects almost all incoming and outgoing traffic. Subsequent scheduled jobs fail to contact the configuration management server, and the computer no longer accepts SSH connections. I recall one time manually logging in via a non-SSH console and repairing it with firewall-cmd, though in the other cases I just rebooted the computer as a quicker solution (when the persistent firewalld configuration is applied at boot, it solves the problem). Debian unstable already contains a newer version of the nftables package, I have not yet tried upgrading to that one. It might take another few weeks before the bug manifests again on the one computer that has core dumps enabled, so I can't quickly check if other package versions still have the bug. Today was the first time I captured a core dump. The backtrace looks a bit similar to https://bugzilla.redhat.com/show_bug.cgi?id=1983116, though I'm not sure how to interpret that Fedora backtrace because it lacks debug symbols. Core was generated by `/usr/bin/python3 /usr/sbin/firewalld --nofork --nopid'. --Type <RET> for more, q to quit, c to continue without paging-- Program terminated with signal SIGSEGV, Segmentation fault. #0 list_add_tail (head=0x2c0, new=0x2440b70) at ../include/list.h:87 Download failed: Invalid argument. Continuing without source file ./src/../include/list.h. 87 ../include/list.h: No such file or directory. [Current thread is 1 (Thread 0x7fddc6704740 (LWP 488))] (gdb) (gdb) bt #0 list_add_tail (head=0x2c0, new=0x2440b70) at ../include/list.h:87 #1 list_move_tail (head=0x2c0, list=0x2440b70) at ../include/list.h:169 #2 cache_init_objects (flags=127, ctx=0x7ffc9dd74f20) at rule.c:208 #3 cache_init (flags=127, ctx=0x7ffc9dd74f20) at rule.c:235 #4 cache_update (nft=nft@entry=0x1ffcbe0, flags=127, msgs=msgs@entry=0x7ffc9dd75ee0) at rule.c:291 #5 0x00007fddc41ae0a2 in nft_evaluate (nft=nft@entry=0x1ffcbe0, msgs=msgs@entry=0x7ffc9dd75ee0, cmds=cmds@entry=0x7ffc9dd75ef0) at libnftables.c:420 #6 0x00007fddc41aead8 in nft_run_cmd_from_buffer (nft=0x1ffcbe0, buf=0x2343330 "{\"nftables\": [{\"metainfo...) at libnftables.c:465 Here is the whole argument to nft_run_cmd_from_buffer() pretty printed: {"nftables": [ {"metainfo": {"json_schema_version": 1}}, {"add": {"set": {"family": "inet", "table": "firewalld", "name": "ata", "type": "ipv4_addr", "flags": ["interval"]}}}, {"flush": {"set": {"family": "inet", "table": "firewalld", "name": "ata"}}}, {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.42"]}}}, {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.64"]}}}, {"add": {"element": {"family": "inet", "table": "firewalld", "name": "ata", "elem": ["10.1.2.67"]}}} ]} The line that causes the segfault is here: https://sources.debian.org/src/nftables/0.9.8-3.1/src/rule.c/#L208 list_move_tail(&rule->list, &chain->rules); -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (800, 'stable-updates'), (800, 'stable-security'), (800, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-0.bpo.1-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii dpkg 1.20.12 ii libc6 2.31-13+deb11u4 ii libedit2 3.1-20191231-2+b1 ii libnftables1 0.9.8-3.1 nftables recommends no packages. Versions of packages nftables suggests: ii firewalld 1.2.0-1~bpo11+1 -- no debconf information
