Bug 1805611
| Summary: | xtables-monitor crash when target TRACE rule get matched | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | yiche <yiche> | |
| Component: | iptables | Assignee: | Phil Sutter <psutter> | |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Peska <jpeska> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.2 | CC: | iptables-maint-list, jpeska, todoleza | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | iptables-1.8.4-9.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1806606 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-28 17:00:30 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1806606 | |||
Fixed with a small RHEL-only patch:
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index a5245d1422af9..737c35f2ac60c 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -595,7 +595,9 @@ int xtables_monitor_main(int argc, char *argv[])
struct mnl_socket *nl;
char buf[MNL_SOCKET_BUFFER_SIZE];
uint32_t nfgroup = 0;
- struct nft_handle h = {};
+ struct nft_handle h = {
+ .family = AF_INET,
+ };
struct cb_arg cb_arg = {
.h = &h,
};
@@ -622,6 +624,9 @@ int xtables_monitor_main(int argc, char *argv[])
strerror(errno));
exit(EXIT_FAILURE);
}
+ h.ops = nft_family_ops_lookup(h.family);
+ if (!h.ops)
+ xtables_error(PARAMETER_PROBLEM, "Unknown family");
opterr = 0;
while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) {
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1889 |
Fixed upstream, commits to backport: commit 1639b8ba5105542c73e0e1c35e70f245dab89d81 Author: Phil Sutter <phil> Date: Fri Feb 21 13:18:32 2020 +0100 xtables: Align effect of -4/-6 options with legacy Legacy iptables doesn't accept -4 or -6 if they don't match the symlink's native family. The only exception to that is iptables-restore which simply ignores the lines introduced by non-matching options, which is useful to create combined dump files for feeding into both iptables-restore and ip6tables-restore. Signed-off-by: Phil Sutter <phil> commit 0f40a8bc49d3f7b815336199931a82f919f37c4e Author: Phil Sutter <phil> Date: Fri Feb 21 13:29:05 2020 +0100 xtables: Drop -4 and -6 support from xtables-{save,restore} Legacy tools don't support those options, either. Signed-off-by: Phil Sutter <phil> commit d0446ab11182f6ca2adc486a124895f09a220c6e Author: Phil Sutter <phil> Date: Fri Feb 21 14:55:52 2020 +0100 xtables: Review nft_init() Move common code into nft_init(), such as: * initial zeroing nft_handle fields * family ops lookup and assignment to 'ops' field * setting of 'family' field This requires minor adjustments in xtables_restore_main() so extra field initialization doesn't happen before nft_init() call. As a side-effect, this fixes segfaulting xtables-monitor binary when printing rules for trace event as in that code-path 'ops' field wasn't initialized. Signed-off-by: Phil Sutter <phil> Fix is in the last one, but the previous ones are dependencies.