When launching nftable (with additional confs managed by puppet), I get a segfault:
# /usr/sbin/nft -I /etc/nftables/puppet -f /etc/nftables.conf
Segmentation fault
dmesg / kern.log are full of errors like:
[48445.298610] nft[150306]: segfault at 0 ip 00007f295a923b71 sp 00007fff1c498d40 error 4 in libnftables.so.1.0.0[7f295a91f000+5d000]
[48445.298624] Code: bc 24 10 02 00 00 49 8d ac 24 10 02 00 00 48 8b 1f 48 39 fd 75 06 eb 1d 90 48 89 c3 83 af d0 01 00 00 01 75 05 e8 6f df ff ff <48> 8b 03 48 89 df 48 39 eb 75 e4 49 8b bc 24 30 02 00 00 49 8d ac
The tables/chains are all correctly added, though...
nftables.conf includes puppet.ft, which include confs from /etc/nftables/puppet. I checked the configuration. puppet.nft just incudes files from puppet/ and seems to pass. Not nftables.conf:
# nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft
# nft -c -I /etc/nftables/puppet -f /etc/nftables.conf
Segmentation fault
content of nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
include "/etc/nftables/puppet.nft"
For some reason, when I do not include this file in puppet.nft, no segfault (I commented the other include, doesn't help) - although the first check includes it:
table inet filter {
set blackhole_v4 {
type ipv4_addr
flags timeout, interval
}
set blackhole_v6 {
type ipv6_addr
flags timeout, interval
}
#include "inet-filter-chain-*.nft"
}
This was working properly until yesterday, when the server auto rebooted after unattended-upgrades which updated among other things libnftables1 and the kernel. It seems to break with the new kernel (5.10.0-28-amd64).
It seems linked to the new kernel to me. I have no clue how to debug a segfault in nft / kernel errors... Any kind of help would be appreciated! I join the output of strace if it helps. I'm no really able to understand it...: https://controlc.com/ea0eb138
This is on debian Bullseye with nftables v0.9.8 (E.D.S.) / libnftables1 0.9.8-3.1+deb11u2
I hope there's enough details. In the meantime, I'll check on another server which as the same libnftables1 version but kernel 5.10.0-27-amd64 and will update the issue.
Update just found this, gonna check : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063769
I checked on a different server which has the last libnftables1 package but the previous kernel, it breaks too. So the problem is with libnftables1 0.9.8-3.1+deb11u2.
TEMPORARY FIX If it can help someone, until it's fix, I installed 0.9.8-3.1+deb11u1 from snapshot.debian.org ans it works. I added the source from 2022-12-09 21:05:37 (last seen date)
- added the source from 2022-12-09 21:05:37 (last seen date)
deb https://snapshot.debian.org/archive/debian/20221209T210537Z/ bullseye main
deb-src https://snapshot.debian.org/archive/debian/20221209T210537Z/ bullseye main
- Pinned the packages:
Package: nftables libnftables1 python3-nftables
Pin: origin snapshot.debian.org
Pin-Priority: 1001
- apt update & apt install nftables
Thank you!