[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914429: marked as done (nftables: Delete and Flush lead to device or resource busy with segmentation fault)

Your message dated Fri, 23 Nov 2018 11:59:29 +0100
with message-id <e30e75bc-ad60-4732-600d-1d8b6fe84e52@debian.org>
and subject line Re: Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault
has caused the Debian Bug report #914429,
regarding nftables: Delete and Flush lead to device or resource busy with segmentation fault
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
914429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914429
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---

Package: nftables
Version: 0.9.0-1~bpo9+1
Severity: important

Dear Maintainer,

with adding and deleting rules, chains, maps and sets in nft, we can reproduce a
"device or resource busy" followed by flush ruleset with a "segmentation fault".

For the device or resource busy error, we can't find any process in the processlist.
# nft delete chain filter C_TestChain
Error: Could not process rule: Device or resource busy
delete chain filter C_TestChain

# nft flush ruleset
Segmentation fault

How to reproduce:

/etc/nftables.conf:

#!/usr/sbin/nft -f
# Skeleton for nftables

flush ruleset

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0;
    }
}

Add via file:

add chain filter vpn_master
add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; }
add rule filter vpn_master ip saddr vmap @J_TestMap
add chain filter C_TestChain
add set filter M_TestMasterSet {type ipv4_addr ; flags interval ; elements={
172.21.138.0/29 } ;}
add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ; elements={
172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;}
add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain }
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet
accept
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet
accept
add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet
accept

then flush and delete some rules with following commands:

# nft flush set filter M_TestMasterSet
# nft flush set filter S_TestSlaveSet
# nft flush map filter J_TestMap
# nft flush chain filter C_TestChain
# nft delete set filter M_TestMasterSet
# nft delete set filter S_TestSlaveSet

now we delete the vmap via handle (could not find out, how to delete this via
name):

# nft list table filter -na
table ip filter { # handle 2
    map J_TestMap { # handle 3
        type ipv4_addr : verdict
        flags interval
    }

    chain FORWARD { # handle 1
        type filter hook forward priority 0; policy accept;
    }

    chain vpn_master { # handle 2
        ip saddr vmap @J_TestMap # handle 4
    }

    chain C_TestChain { # handle 5
    }
}

# nft delete rule filter vpn_master handle 4
# nft delete map filter J_TestMap
# nft delete chain filter C_TestChain
Error: Could not process rule: Device or resource busy
delete chain filter C_TestChain

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

what is left and can we delete it via an complete flush?

# nft list table filter -na
table ip filter { # handle 2
    chain FORWARD { # handle 1
        type filter hook forward priority 0; policy accept;
    }

    chain vpn_master { # handle 2
    }

    chain C_TestChain { # handle 5
    }
}

# nft flush ruleset
Segmentation fault

Please contact me, if you need further details.

Regards, Eike

-- System Information:
Debian Release: 9.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (50, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg          1.18.25
ii  libc6         2.24-11+deb9u3
ii  libgmp10      2:6.1.2+dfsg-1
ii  libnftables0  0.9.0-1~bpo9+1
ii  libreadline7  7.0-3

ii  libnftnl7:amd64                    1.1.1-1~bpo9+1

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table ip filter {
    chain FORWARD {
        type filter hook forward priority 0;
    }
}


--- End Message ---
--- Begin Message --- 
Control: severity -1 normal
Control: reassign -1 linux
Control: fixed -1 4.18.20-1

On 11/23/18 11:32 AM, Eike Lohmann wrote:
> # nft delete chain filter C_TestChain
> Error: Could not process rule: Device or resource busy
> delete chain filter C_TestChain
> 

This is not a bug. This means that the C_TestChain chain is referenced
by other objects within the ruleset, thus you can't delete it.

Please, check your ruleset.

> # nft flush ruleset
> Segmentation fault
> 

This is a kernel error which leads the userspace application to crash.

Is fixed by this linux kernel patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7acfda539c0b9636a58bfee56abfb3aeee806d96

This should be included in linux 4.18.20-1.

Thanks for reporting!

--- End Message ---
Reply to: