Package: iptables Version: 1.8.2-4 Severity: grave File: /usr/sbin/xtables-nft-multi Justification: renders package unusable by segfaulting on usage
Dear Maintainer, First, it may be that this should be actually filed against nftables, so I'd like to say sorry in advance if made noise to the wrong people. Anyway, on a Debian Stretch system installed from latest weekly ISO restoring a relative simple IP Table with a single "intermediate" chain causes a segfaul and no restoration of said table. Reproducer: # cat simple-segv-table *filter :NEW-OUTPUT - [0:0] -A OUTPUT -j NEW-OUTPUT -F NEW-OUTPUT -A NEW-OUTPUT -j ACCEPT COMMIT # iptables ./simple-segv-table Segmentation fault # dmesg | tail -1 [12860.813350] traps: iptables-restor[19173] general protection ip:7f4894682793 sp:7ffcedc177d0 error:0 in libnftnl.so.11.0.0[7f4894677000+17000] # addr2line -e /usr/lib/x86_64-linux-gnu/libnftnl.so.11.0.0 -fCi $(printf "%x" $[0x7f2cb9882793 - 0x7f2cb9877000]) nftnl_batch_is_supported ??:? (hope that my addr2line foo isn't to much off) Above example works just fine on a Debian Stretch 9.9 based machine. As intially I produced this on a, let's say, far from minimal and a bit Frankenstein'ed Buster, I installed the netinst weekly ISO again in a QEMU/KVM backed VM, same outcome. As said, this may well be an issue in the linked libnftnl shared library, but could also be an issue from how iptables uses it, as I produced the error by calling into a iptables provided binary I choose to report it here (not sure if one can report against multiple packages). -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc6 2.28-10 ii libip4tc0 1.8.2-4 ii libip6tc0 1.8.2-4 ii libiptc0 1.8.2-4 ii libmnl0 1.0.4-2 ii libnetfilter-conntrack3 1.0.7-1 ii libnfnetlink0 1.0.1-3+b1 ii libnftnl11 1.1.2-2 ii libxtables12 1.8.2-4 Versions of packages iptables recommends: ii nftables 0.9.0-2 Versions of packages iptables suggests: ii kmod 26-1 -- no debconf information
