Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)

Paul Moore <paul@xxxxxxxxxxxxxx> · Tue, 26 Apr 2016 14:54:26 -0400

On Tue, Apr 26, 2016 at 4:58 AM, Lev Stipakov <lstipakov@xxxxxxxxx> wrote:
> Hello,
>
> I see kernel panic with iptables-persistent package installed and one
> iptables rule with AUDIT target.
>
>   root@debian7:~# uname -a
>   Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
>
>   root@debian7:~# dpkg -l | grep iptables
>   ii  iptables                  1.4.14-3.1
>   ii  iptables-persistent       0.5.7+deb7u1
>
> Steps to reproduce:
>
> 1) Install Debian 7 and iptables-persistent (see versions above)
> 2) Add iptables rule (must be OUTPUT chain):
>
>   root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT
>
> 3) Save rule:
>
>   root@debian7:~# iptables-save > /etc/iptables/rules.v4
>
> 4) Reboot
>
> 5) Kernel panic (screenshot):
> https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0
>
>
> I cannot reproduce it on (one of) previous kernel version:
>
>   lev@debi7:~$ uname -a
>   Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux
>
>   lev@debi7:~$ dpkg -l | grep iptables
>   ii  iptables                           1.4.14-3.1
>   ii  iptables-persistent                0.5.7+deb7u1

Unfortunately I don't have a Debian system available to test, but have
you tried reproducing this on a more modern kernel?

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html