Bug#901660: iproute2: Using HFSC-qdisc causes WARNING-messages and stack-traces in syslog

2018-06-16 Thread aurinko 
Package: iproute2
Version: 4.16.0-4
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Upgrading to the latest kernel 4.16.0-4. With previous versions
of kernel and iproute2-packages these issues did not occur.


   * What exactly did you do (or not do) that was effective (or
 ineffective)?
I applied the following script to my interfaces:

tc qdisc add dev enp6s0f0 root handle 1: hfsc default 3
tc class add dev enp6s0f0 parent 1: classid 1:1 hfsc ls rate
10kbit ul rate 10kbit
tc class add dev enp6s0f0 parent 1:1 classid 1:2 hfsc ls rate
75000kbit
tc class add dev enp6s0f0 parent 1:1 classid 1:3 hfsc ls rate
2kbit
tc class add dev enp6s0f0 parent 1:1 classid 1:4 hfsc ls rate
5000kbit
tc qdisc add dev enp6s0f0 parent 1:2 handle 2: fq_codel noecn
tc qdisc add dev enp6s0f0 parent 1:3 handle 3: fq_codel noecn
tc qdisc add dev enp6s0f0 parent 1:4 handle 4: fq_codel noecn

tc qdisc add dev enp6s0f1 root handle 1: hfsc default 2
tc class add dev enp6s0f1 parent 1: classid 1:1 hfsc ls rate
1000mbit ul rate 1000mbit
tc class add dev enp6s0f1 parent 1:1 classid 1:2 hfsc ls rate
91kbit ul rate 91kbit
tc class add dev enp6s0f1 parent 1:1 classid 1:3 hfsc ls rate
900mbit
tc qdisc add dev enp6s0f1 parent 1:2 handle 2: fq_codel noecn
tc qdisc add dev enp6s0f1 parent 1:3 handle 3: fq_codel noecn


   * What was the outcome of this action?
The script completed and the qdiscs were added. However, the
following entries are now being seen every few minutes in
syslog:

[Sat Jun 16 14:19:01 2018] WARNING: CPU: 0 PID: 0 at
/build/linux-43CEzF/linux-4.16.12/net/sched/sch_hfsc.c:1388
hfsc_dequeue+0x27e/0x370 [sch_hfsc]
[Sat Jun 16 14:19:01 2018] Modules linked in: vhost_net vhost
tap dm_crypt algif_skcipher af_alg dm_mod hid_generic usbhid hid
ebtable_filter ebtables ip6table_filter ip6_tables sch_fq_codel
devlink sch_hfsc sch_fq tun cfg80211 rfkill bridge stp llc
openvswitch nsh nf_conntrack_ipv6 nf_nat_ipv6 nf_defrag_ipv6
zfs(PO) zunicode(PO) zavl(PO) icp(PO) binfmt_misc nls_ascii
nls_cp437 vfat fat zcommon(PO) znvpair(PO) spl(O) intel_rapl
x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_hdmi
coretemp kvm_intel snd_hda_codec_realtek kvm
snd_hda_codec_generic irqbypass iTCO_wdt iTCO_vendor_support
mxm_wmi evdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
snd_hda_intel intel_cstate snd_hda_codec snd_hda_core i915
snd_hwdep intel_uncore efi_pstore snd_pcm intel_rapl_perf pcspkr
serio_raw efivars lpc_ich drm_kms_helper
[Sat Jun 16 14:19:01 2018]  mei_me snd_timer snd sg mei
soundcore drm shpchp ie31200_edac wmi video button nft_nat
nft_masq_ipv4 nf_nat_masquerade_ipv4 nft_masq nft_chain_nat_ipv4
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nft_ct
nf_conntrack nf_log_ipv4 nf_log_common nft_log nft_counter
nft_meta nft_set_bitmap nft_set_hash nft_set_rbtree
nf_tables_ipv4 nf_tables nfnetlink tcp_bbr sunrpc efivarfs
ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress
xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1
raid0 multipath linear md_mod sd_mod crc32c_intel ahci libahci
aesni_intel aes_x86_64 crypto_simd xhci_pci ehci_pci cryptd
glue_helper mpt3sas i2c_i801 xhci_hcd ehci_hcd psmouse
raid_class igb alx libata scsi_transport_sas usbcore
[Sat Jun 16 14:19:01 2018]  i2c_algo_bit mdio e1000e usb_common
dca scsi_mod fan thermal [last unloaded: msr]
[Sat Jun 16 14:19:01 2018] CPU: 0 PID: 0 Comm: swapper/0
Tainted: PW  O 4.16.0-2-amd64 #1 Debian 4.16.12-1
[Sat Jun 16 14:19:01 2018] Hardware name: Gigabyte Technology
Co., Ltd. To be filled by O.E.M./Z77X-UP7, BIOS F5 11/22/2012
[Sat Jun 16 14:19:01 2018] RIP: 0010:hfsc_dequeue+0x27e/0x370
[sch_hfsc]
[Sat Jun 16 14:19:01 2018] RSP: 0018:981a1f203eb0 EFLAGS:
00010246
[Sat Jun 16 14:19:01 2018] RAX:  RBX:
9819be548188 RCX: 0018
[Sat Jun 16 14:19:01 2018] RDX: 0002 RSI:
 RDI: 9819be548480
[Sat Jun 16 14:19:01 2018] RBP: 0005283c02b1 R08:
 R09: 9819f8af08c4
[Sat Jun 16 14:19:01 2018] R10: 5283c02a R11:
5283c02a R12: 9819be548000
[Sat Jun 16 14:19:01 2018] R13: 9819be548480 R14:
9819036e3ee8 R15: 9819be548000
[Sat

Bug#880145: nftables: When more than 2-3 elements are in an anonymous set the rule does not match to any of them

2017-10-29 Thread aurinko 
Package: nftables
Version: 0.8-1
Severity: normal

Dear Maintainer,

* What led up to the situation?
Upgrading the kernel to 4.13 and nftables to version 0.8 caused this
issue to occur. In previous releases the configuration below worked
flawlessly.

The configuration below causes no error-messages and when issuing nft
-nna list ruleset, all rules are shown. The real issue is that the sets
which have more than 2 elements in input chain never match a packet. For
example on line "add rule ip filter INPUT iif $lan-if tcp dport 
{22.445,3000,1,64738} counter accept". This never matches a packet. When 
issuing a trace, the packet goes straight to the last rule which just drops the 
packet. 

* What exactly did you do (or not do) that was effective (or ineffective)?
When using named set instead of anonymous sets, there is no issue. This works 
everytime I reload the configuration file. Sets with less or equal than 2 
elements seem to work just fine or at least match some of the elements.. 


* What outcome did you expect instead?
I expected this configuration to work with newer kernel and nftables.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg  1.18.24
ii  libc6 2.24-17
ii  libgmp10  2:6.1.2+dfsg-1.1
ii  libmnl0   1.0.4-2
ii  libnftnl7 1.0.8-1
ii  libreadline7  7.0-3
ii  libxtables12  1.6.1-2+b1

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
define lan-if = {enp6s0f1, enp7s0f0}
define wan-if = enp6s0f0
define drop-wan-tcp = {0,25,135-139,179,445,593,1433-1434,7547}
define drop-wan-udp = {25,135-139,161,445,593,1433-1434,1900}
define drop-wan-dst-ip = {10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 
172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.51.100.0/24, 
203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4}
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add map filter ct_map { type ct_state : verdict; }
add element filter ct_map { established : accept }
add element filter ct_map { related : accept }
add element filter ct_map { invalid : drop }
add rule ip filter INPUT iif lo counter accept
add rule ip filter INPUT ct state vmap @ct_map
add rule ip filter INPUT icmp type {1,6,8,11-14} counter accept
add rule ip filter INPUT iif $lan-if udp dport {53,67,1200,64738} accept
add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,1,64738} accept
add rule ip filter INPUT iif $wan-if udp dport {1200,1201} accept
add rule ip filter INPUT iif $wan-if tcp dport {22,64738} accept
add rule ip filter INPUT iifname {rex0,mei0} tcp dport {22,80,445,3000,1} 
accept
add rule ip filter INPUT counter drop
add rule ip filter FORWARD ct state vmap @ct_map
add rule ip filter FORWARD oif $wan-if tcp dport $drop-wan-tcp log prefix 
"FORWARD TCP1 : " counter drop
add rule ip filter FORWARD oif $wan-if udp dport $drop-wan-udp log prefix 
"FORWARD UDP1: " counter drop
add rule ip filter FORWARD oif $wan-if ip daddr $drop-wan-dst-ip log prefix 
"FORWARD WAN SRC1: " counter drop
add rule ip filter FORWARD oif $wan-if icmp type != {0,1,6,8,11-14} counter drop
add rule ip filter FORWARD iif $lan-if oif $wan-if counter accept
add rule ip filter FORWARD counter drop
add rule ip filter OUTPUT oif $wan-if tcp dport $drop-wan-tcp log prefix 
"OUTPUT TCP1: " counter drop
add rule ip filter OUTPUT oif $wan-if udp dport $drop-wan-udp log prefix 
"OUTPUT UDP1: " counter drop
add rule ip filter OUTPUT oif $wan-if ip daddr $drop-wan-dst-ip log prefix 
"OUTPUT SRC1: " counter drop
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority 0; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 0; }
add rule ip nat POSTROUTING oif $wan-if counter masquerade
add rule ip nat PREROUTING tcp dport 6060 counter dnat 192.168.23.1:22
add table ip mangle
add chain ip mangle POSTROUTING { type filter hook output priority 0; }
add rule ip mangle POSTROUTING oif $lan-if ip saddr {192.168.23.0/24, 
10.8.0.0/24} counter meta priority set 1:3 


-- no debconf information