Your message dated Fri, 23 Nov 2018 11:59:29 +0100 with message-id <e30e75bc-ad60-4732-600d-1d8b6fe84e52@debian.org> and subject line Re: Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault has caused the Debian Bug report #914429, regarding nftables: Delete and Flush lead to device or resource busy with segmentation fault to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 914429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914429 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: rt+96925@rt.ic3s.de
- Subject: nftables: Delete and Flush lead to device or resource busy with segmentation fault
- From: Eike Lohmann <e.lohmann@ic3s.de>
- Date: Fri, 23 Nov 2018 11:32:06 +0100
- Message-id: <d1228bb3-29f8-9440-d0f9-97c654d46390@ic3s.de>
- Reply-to: e.lohmann@ic3s.de
Package: nftables
Version: 0.9.0-1~bpo9+1
Severity:important
Dear Maintainer,
with adding and deleting rules, chains, maps and sets in nft, we can reproduce a "device or resource busy" followed by flush ruleset with a "segmentation fault". For the device or resource busy error, we can't find any process in the processlist.# nft delete chain filter C_TestChain Error: Could not process rule: Device or resource busy delete chain filter C_TestChain # nft flush ruleset Segmentation faultHow to reproduce: /etc/nftables.conf: #!/usr/sbin/nft -f # Skeleton for nftables flush ruleset table ip filter { chain FORWARD { type filter hook forward priority 0; } } Add via file: add chain filter vpn_master add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; } add rule filter vpn_master ip saddr vmap @J_TestMap add chain filter C_TestChain add set filter M_TestMasterSet {type ipv4_addr ; flags interval ; elements={ 172.21.138.0/29 } ;} add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ; elements={ 172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;} add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain } add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain } add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain } add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain } add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet accept add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet accept add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet accept then flush and delete some rules with following commands: # nft flush set filter M_TestMasterSet # nft flush set filter S_TestSlaveSet # nft flush map filter J_TestMap # nft flush chain filter C_TestChain # nft delete set filter M_TestMasterSet # nft delete set filter S_TestSlaveSet now we delete the vmap via handle (could not find out, how to delete this via name): # nft list table filter -na table ip filter { # handle 2 map J_TestMap { # handle 3 type ipv4_addr : verdict flags interval } chain FORWARD { # handle 1 type filter hook forward priority 0; policy accept; } chain vpn_master { # handle 2 ip saddr vmap @J_TestMap # handle 4 } chain C_TestChain { # handle 5 } } # nft delete rule filter vpn_master handle 4 # nft delete map filter J_TestMap # nft delete chain filter C_TestChain Error: Could not process rule: Device or resource busy delete chain filter C_TestChain ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ what is left and can we delete it via an complete flush? # nft list table filter -na table ip filter { # handle 2 chain FORWARD { # handle 1 type filter hook forward priority 0; policy accept; } chain vpn_master { # handle 2 } chain C_TestChain { # handle 5 } } # nft flush ruleset Segmentation fault Please contact me, if you need further details. Regards, Eike
-- System Information:
Debian Release: 9.6
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (50, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nftables depends on:
ii dpkg 1.18.25
ii libc6 2.24-11+deb9u3
ii libgmp10 2:6.1.2+dfsg-1
ii libnftables0 0.9.0-1~bpo9+1
ii libreadline7 7.0-3ii libnftnl7:amd64 1.1.1-1~bpo9+1
nftables recommends no packages.
nftables suggests no packages.
-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table ip filter {
chain FORWARD {
type filter hook forward priority 0;
}
}
--- End Message ---
--- Begin Message ---
- To: e.lohmann@ic3s.de
- Cc: 914429@bugs.debian.org, 914429-done@bugs.debian.org, rt+96925@rt.ic3s.de
- Subject: Re: Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault
- From: Arturo Borrero Gonzalez <arturo@debian.org>
- Date: Fri, 23 Nov 2018 11:59:29 +0100
- Message-id: <e30e75bc-ad60-4732-600d-1d8b6fe84e52@debian.org>
- In-reply-to: <d1228bb3-29f8-9440-d0f9-97c654d46390@ic3s.de>
- References: <d1228bb3-29f8-9440-d0f9-97c654d46390@ic3s.de>
Control: severity -1 normal Control: reassign -1 linux Control: fixed -1 4.18.20-1 On 11/23/18 11:32 AM, Eike Lohmann wrote: > # nft delete chain filter C_TestChain > Error: Could not process rule: Device or resource busy > delete chain filter C_TestChain > This is not a bug. This means that the C_TestChain chain is referenced by other objects within the ruleset, thus you can't delete it. Please, check your ruleset. > # nft flush ruleset > Segmentation fault > This is a kernel error which leads the userspace application to crash. Is fixed by this linux kernel patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7acfda539c0b9636a58bfee56abfb3aeee806d96 This should be included in linux 4.18.20-1. Thanks for reporting!
--- End Message ---