Your message dated Tue, 15 Dec 2015 14:16:13 +0100
with message-id
<caoksjbiyt07b_-ynbbxbjc7lp0yb2l+u+hxsna5usqegry6...@mail.gmail.com>
and subject line
has caused the Debian Bug report #801087,
regarding nft utility from nftables segfaults
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
801087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nftables
Version: 0.5-1~bpo8+1
This is jessie with jessie-backports enabled and kernel
4.1.0-0.bpo.2-amd64 installed from backports as well.
libc version 2.19-18+deb8u1.
nft started to segfault right after update to 0.5:
(ruleset is empty)
# nft -f /etc/nftables.conf
Segmentation fault
Contents of nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
define ports_nfs = {111, 2049, 9750, 9760}
define ipaddr_yjin = 212.47.240.255/24
define ipaddr4_vpn_melf = 192.168.98.2
define ipaddr6_vpn_melf = 2001:xxxx:xxxx:xxxx::xxxx
define net4_vpn = 192.168.98.0/23
define net6_vpn = 2001:xxxx:xxxx:xxxx::/60
define ipaddr4_ours = 195.154.99.30
table inet filter {
chain icmpfilt {
limit rate 100/second accept
counter drop
}
chain input {
type filter hook input priority 0;
ip protocol icmp jump icmpfilt
ip6 nexthdr ipv6-icmp jump icmpfilt
iif eth0 tcp dport $ports_nfs drop
iif eth0 udp dport $ports_nfs drop
iif != eth0 tcp dport {25, 2022, 17860} drop
iif != eth0 udp dport 17860 drop
iif eth0 ip saddr != $ipaddr_yjin tcp dport 9000 drop
}
chain forward {
type filter hook forward priority 0;
ip protocol icmp jump icmpfilt
ip6 nexthdr ipv6-icmp jump icmpfilt
ct state established,related accept
ip saddr $net4_vpn ip daddr $net4_vpn accept
ip6 saddr $net6_vpn ip6 daddr $net6_vpn accept
iif eth0 ip daddr $ipaddr4_vpn_melf tcp dport 15800
accept
iif eth0 ip daddr $ipaddr4_vpn_melf udp dport 15800
accept
iif eth0 ip6 daddr $ipaddr6_vpn_melf tcp dport 15800
accept
iif eth0 ip6 daddr $ipaddr6_vpn_melf udp dport 15800
accept
iif eth0 drop
}
}
table ip6 filter {
chain output {
type filter hook output priority 0;
udp dport 547 limit rate 10/minute accept
udp dport 547 drop
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
iif eth0 ip daddr $ipaddr4_ours tcp dport 15800 dnat
$ipaddr4_vpn_melf
iif eth0 ip daddr $ipaddr4_ours udp dport 15800 dnat
$ipaddr4_vpn_melf
iif eth0 ip daddr $ipaddr4_ours udp dport 443 dnat
$ipaddr4_ours:1194
}
chain postrouting {
type nat hook postrouting priority 0;
oif eth0 ip saddr 192.168.98.0/23 masquerade
}
}
--- End Message ---
--- Begin Message ---
--
Arturo Borrero González
--- End Message ---
