Since my nftables ruleset grows bigger and bigger, I wanted to move
some of the rules to other files and include them in the main file.
Everything was fine before cutting the main file into several
pieces, but after moving the rules, I started to experience kernel
BUGs when the whole ruleset is being applied (see the BUG at the
end of the email).
I wanted to know what exactly causes the kernel BUG, and I found out
that when I remove the following rule from one of the included
files:
------------------------
delete table ip raw-set
------------------------
the kernel BUG goes away. The same rule was in the main file, and it
didn't cause a kernel BUG. Maybe because it was at the beginning of
the file.
What's weird, when I include only one additional file in the main
ruleset file, the above rule can exist in that file, and the kernel
BUG doesn't occur. But as soon as I include additional file in the
main file, I get the BUG.
I wanted to reproduce this using some simpler example than my
current rulset, but I couldn't trigger the kernel BUG, so I think
the used rules also matter.
Anyway, when I was playing with the simple example I found that
when you try to remove a table that doesn't exist, it removes all
tables of the same family (ip/ip6/inet) and all rules in them.
To reproduce this, create the following ruleset:
------------------------------------
#!/usr/sbin/nft -f
flush ruleset
create table ip nat
create table inet filter
create chain ip nat testchain
delete table ip testtable
------------------------------------
When you apply the ruleset, you get the following:
# nft -f main.nft
# nft list ruleset
table inet filter {
}
So where's the "nat" table? I created it, I didn't delete it, but
it doesn't exist? Maybe this why the kernel BUG happens when the
ruleset is a little bit more complicated.
What do you think about it?
Heres the BUG:
kernel: list_add double add: new=ffff8cb90dc98c30, prev=ffff8cb90dc98c30, next=ffff8cb802f628e8.
kernel: ------------[] cut here ]------------
kernel: kernel BUG at lib/list_debug.c:31!
kernel: invalid opcode: 0000 [#1] PREEMPT SMP PTI
kernel: CPU: 1 PID: 37342 Comm: nft Tainted: G T 4.20.0-amd64-morficzny #19
kernel: Hardware name: Hewlett-Packard HP G62 Notebook PC /1439, BIOS F.48 11/09/2011
kernel: RIP: 0010:__list_add_valid+0x4f/0x60
kernel: Code: 00 48 39 c5 74 0f 48 39 d5 74 0a 5b b8 01 00 00 00 5d 41 5c c3 48 89 d9 4c 89 e2 48 89 ee 48 c7 c7 60 a3 a4 92 e8 84 2d ba ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 53 48 89 fb 48
kernel: RSP: 0018:ffff9f2e021bb938 EFLAGS: 00010282
kernel: RAX: 0000000000000058 RBX: ffff8cb802f628e8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffffffff92a365ba RDI: 0000000000000001
kernel: RBP: ffff8cb90dc98c30 R08: ffffffff91c64390 R09: 00000000000068bb
kernel: R10: 0000000000000000 R11: 0000000000000030 R12: ffff8cb90dc98c30
kernel: R13: ffff8cb802f62840 R14: ffff8cb90dc98c30 R15: ffff8cb802f628e8
kernel: FS: 00007e6160b2b200(0000) GS:ffff8cb90f900000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00007e6160aff000 CR3: 000000000b186002 CR4: 00000000000206e0
kernel: Call Trace:
kernel: nf_tables_rebind_set+0x9c/0xc0
kernel: __nf_tables_abort+0x382/0x6b0
kernel: nf_tables_abort+0x12/0x30
kernel: nfnetlink_rcv_batch+0x1ef/0x680
kernel: ? __nla_parse+0x37/0x130
kernel: ? apparmor_capable+0x45/0xf0
kernel: ? nla_parse+0x33/0x40
kernel: nfnetlink_rcv+0x10f/0x150
kernel: netlink_unicast+0x184/0x210
kernel: netlink_sendmsg+0x200/0x3d0
kernel: sock_sendmsg+0x39/0x50
kernel: ___sys_sendmsg+0x26e/0x290
kernel: ? ___bpf_prog_run+0x25a/0xed0
kernel: ? __bpf_prog_run32+0x43/0x60
kernel: ? seccomp_run_filters+0x68/0xc0
kernel: __sys_sendmsg+0x6c/0xb0
kernel: do_syscall_64+0x71/0x554
kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
kernel: RIP: 0033:0x7e6160ea3c34
kernel: Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 c9 5a 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53
kernel: RSP: 002b:00007fff190ed4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
kernel: RAX: ffffffffffffffda RBX: 00007fff190ed500 RCX: 00007e6160ea3c34
kernel: RDX: 0000000000000000 RSI: 00007fff190ee560 RDI: 0000000000000003
kernel: RBP: 00007fff190ee660 R08: 0000000000000004 R09: 000056edad738f30
kernel: R10: 00007fff190ee54c R11: 0000000000000246 R12: 00007fff190ee6c0
kernel: R13: 00007fff190ed500 R14: 00007fff190ed500 R15: 000056edad734f90
kernel: Modules linked in:
kernel: ---[] end trace 9c2e322047222099 ]---
kernel: RIP: 0010:__list_add_valid+0x4f/0x60
kernel: Code: 00 48 39 c5 74 0f 48 39 d5 74 0a 5b b8 01 00 00 00 5d 41 5c c3 48 89 d9 4c 89 e2 48 89 ee 48 c7 c7 60 a3 a4 92 e8 84 2d ba ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 53 48 89 fb 48
kernel: RSP: 0018:ffff9f2e021bb938 EFLAGS: 00010282
kernel: RAX: 0000000000000058 RBX: ffff8cb802f628e8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffffffff92a365ba RDI: 0000000000000001
kernel: RBP: ffff8cb90dc98c30 R08: ffffffff91c64390 R09: 00000000000068bb
kernel: R10: 0000000000000000 R11: 0000000000000030 R12: ffff8cb90dc98c30
kernel: R13: ffff8cb802f62840 R14: ffff8cb90dc98c30 R15: ffff8cb802f628e8
kernel: FS: 00007e6160b2b200(0000) GS:ffff8cb90f900000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00007f9b636a1170 CR3: 000000000b186002 CR4: 00000000000206e0
Attachment:
signature.asc
Description: OpenPGP digital signature
