On Mon, Aug 22, 2016 at 01:02:18AM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx> > > After I add the nft rule "nft add rule filter prerouting reject > with tcp reset", kernel panic happened on my system: > NULL pointer dereference at ... > IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400 > Call Trace: > [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160 > [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4] > [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables] > [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables] > [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack] > [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat] > [...] > > Because in the PREROUTING chain, routing information is not exist, > then we will dereference the NULL pointer and oops happen. > > So we restrict reject expression to INPUT, FORWARD and OUTPUT chain. > This is consistent with iptables REJECT target. Good catch, applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
