Hi. Actually I haven't done anything special. I just updated nftables to v0.9.0 and then immediately executed 'nft -f /etc/config/ruleset.nft' and got 'Segmentation fault' Please note, that I'm running LEDE/OpenWRT based router. I'm not sure if it matters, but if you can't reproduce it on normal linux machine, than maybe makes sense to run x86 based OpenWRT on Virtual Box and test there. /Darius On 25-06-2018 14:14, Pablo Neira Ayuso wrote: > On Sun, Jun 24, 2018 at 03:53:35PM +0200, darius wrote: >> Ok, my bad. I was running nft as non-root user, therefore I got this >> fault. No problems running as 'root'. >> >> /Darius >> >> On 24-06-2018 14:51, darius wrote: >>> Hi. I have just installed nftables 0.9.0 on my router and when I tried >>> to add ruleset script to it with command 'nft -f ruleset.nft' then I got >>> 'segmentation fault'. Same ruleset was working without any problems with >>> nft 0.8.5. So the first idea that came to my mind is that I run >>> incompatible kernel. I use 4.14.50 on OpenWRT/LEDE. >>> If it is a case, then I need to raise a ticket in OpenWRT. >>> >>> Last information in '--debug all' was this: >>> >>> ./ruleset.nft:290:18-31: Evaluate symbol >>> ip saddr @port_scanners log group 1 log prefix "Drop port >>> scanners" group 2 counter drop >>> ^^^^^^^^^^^^^^ >>> $port_scanners >>> >>> ---------------- ------------------ >>> | 0000000020 | | message length | >>> | 02576 | R--- | | type | flags | >>> | 0000000001 | | sequence number| >>> | 0000000000 | | port ID | >>> ---------------- ------------------ >>> | 00 00 00 00 | | extra header | >>> ---------------- ------------------ >>> ---------------- ------------------ >>> | 0000000020 | | message length | >>> | 02561 | R--- | | type | flags | >>> | 0000000001 | | sequence number| >>> | 0000000000 | | port ID | >>> ---------------- ------------------ >>> | 00 00 00 00 | | extra header | >>> ---------------- ------------------ >>> ---------------- ------------------ >>> | 0000000036 | | message length | >>> | 02570 | R-A- | | type | flags | >>> | 0000000001 | | sequence number| >>> | 0000000000 | | port ID | >>> ---------------- ------------------ >>> | 02 00 00 00 | | extra header | >>> |00013|--|00001| |len |flags| type| >>> | 69 70 76 34 | | data | i p v 4 >>> | 5f 6e 61 74 | | data | _ n a t >>> | 00 00 00 00 | | data | >>> ---------------- ------------------ >>> Segmentation fault > > Could you tell me steps to reproduce it? > > Even if kernel comes with not nft support, or you run it as non-root, > it should not segfault. > > Thanks! >
Attachment:
signature.asc
Description: OpenPGP digital signature