Created attachment 1802445 [details] coredump I logged in a saw firewalld was down and hence Fail2ban was not banning. coredump is attached. 5.12.8-300.fc34.x86_64, firewalld-0.9.4-1.fc34.noarch kernel: firewalld[2638166]: segfault at 2c8 ip 00007f3f596a3083 sp 00007ffc22ef7500 error 4 in libnftables.so.1.0.0[7f3f596a0000+68000] /var/log/messages-20210711:Jul 7 19:43:05 dsm systemd-coredump[3631062]: Process 2638166 (firewalld) of user 0 dumped core. 012Stack trace of thread 2638166: 0 0x00007f3f596a3083 cache_update.cold (libnftables.so.1.0.0 + 0x19083) 1 0x00007f3f596d8557 nft_evaluate (libnftables.so.1.0.0 + 0x4e557) 2 0x00007f3f596dacbe nft_run_cmd_from_buffer (libnftables.so.1.0.0 + 0x50cbe) 3 0x00007f3f5af84c04 ffi_call_unix64 (libffi.so.6 + 0x6c04) 4 0x00007f3f5af84107 ffi_call (libffi.so.6 + 0x6107) 5 0x00007f3f5a279e5f _ctypes_callproc.cold (_ctypes.cpython-39-x86_64-linux-gnu.so + 0x8e5f) 6 0x00007f3f5a283193 PyCFuncPtr_call (_ctypes.cpython-39-x86_64-linux-gnu.so + 0x12193) 7 0x00007f3f69779de7 _PyObject_MakeTpCall (libpython3.9.so.1.0 + 0x111de7) 8 0x00007f3f69776cee _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10ecee) 9 0x00007f3f6977e753 function_code_fastcall (libpython3.9.so.1.0 + 0x116753) 10 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 11 0x00007f3f6977e753 function_code_fastcall (libpython3.9.so.1.0 + 0x116753) 12 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 13 0x00007f3f6977e753 function_code_fastcall (libpython3.9.so.1.0 + 0x116753) 14 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 15 0x00007f3f6977e753 function_code_fastcall (libpython3.9.so.1.0 + 0x116753) 16 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 17 0x00007f3f6977e753 function_code_fastcall (libpython3.9.so.1.0 + 0x116753) 18 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 19 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 20 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 21 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 22 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 23 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 24 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 25 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 26 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 27 0x00007f3f69774856 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10c856) 28 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 29 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 30 0x00007f3f69771a5a _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109a5a) 31 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 32 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 33 0x00007f3f69774856 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10c856) 34 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 35 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 36 0x00007f3f69771cc3 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109cc3) 37 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 38 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 39 0x00007f3f69774856 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10c856) 40 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 41 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 42 0x00007f3f69771a5a _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109a5a) 43 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 44 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 45 0x00007f3f69786f05 PyVectorcall_Call (libpython3.9.so.1.0 + 0x11ef05) 46 0x00007f3f69774856 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10c856) 47 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 48 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 49 0x00007f3f69771a5a _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x109a5a) 50 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 51 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 52 0x00007f3f69774856 _PyEval_EvalFrameDefault (libpython3.9.so.1.0 + 0x10c856) 53 0x00007f3f697706dd _PyEval_EvalCode (libpython3.9.so.1.0 + 0x1086dd) 54 0x00007f3f6977e45e _PyFunction_Vectorcall (libpython3.9.so.1.0 + 0x11645e) 55 0x00007f3f6977dcce object_vacall (libpython3.9.so.1.0 + 0x115cce) 56 0x00007f3f697eec81 PyObject_CallFunctionObjArgs (libpython3.9.so.1.0 + 0x186c81) 57 0x00007f3f5b4bdb04 _pending_call_notify_function (_dbus_bindings.so + 0x10b04) 58 0x00007f3f5b45cb0a complete_pending_call_and_unlock.lto_priv.0 (libdbus-1.so.3 + 0x16b0a) 59 0x00007f3f5b460fec dbus_connection_dispatch (libdbus-1.so.3 + 0x1afec) 60 0x00007f3f5b9d4b59 message_queue_dispatch (_dbus_glib_bindings.so + 0x2b59) 61 0x00007f3f5b05d4cf g_main_context_dispatch (libglib-2.0.so.0 + 0x554cf) 62 0x00007f3f5b0b14e8 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa94e8) 63 0x00007f3f5b05ca93 g_main_loop_run (libglib-2.0.so.0 + 0x54a93) 012Stack trace of thread 3280068: 0 0x00007f3f6958e5bf n/a (libc.so.6 + 0xf55bf) 1 0x00007f3f5b0b147c g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa947c) 2 0x00007f3f5b05ca93 g_main_loop_run (libglib-2.0.so.0 + 0x54a93) 3 0x00007f3f5ae3cd5a gdbus_shared_thread_func.lto_priv.0 (libgio-2.0.so.0 + 0x110d5a) 4 0x00007f3f5b08bc32 g_thread_proxy (libglib-2.0.so.0 + 0x83c32) 5 0x00007f3f69481299 start_thread (libpthread.so.0 + 0x9299) 6 0x00007f3f69599353 n/a (libc.so.6 + 0x100353) 012Stack trace of thread 2638274: 0 0x00007f3f6958e5bf n/a (libc.so.6 + 0xf55bf) 1 0x00007f3f5b0b147c g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa947c) 2 0x00007f3f5b05ac03 g_main_context_iteration (libglib-2.0.so.0 + 0x52c03) 3 0x00007f3f5b05ac51 glib_worker_main (libglib-2.0.so.0 + 0x52c51) 4 0x00007f3f5b08bc32 g_thread_proxy (libglib-2.0.so.0 + 0x83c32) 5 0x00007f3f69481299 start_thread (libpthread.so.0 + 0x9299) 6 0x00007f3f69599353 n/a (libc.so.6 + 0x100353) /var/log/messages-20210711:Jul 7 19:43:06 dsm systemd[1]: firewalld.service: Main process exited, code=dumped, status=11/SEGV /var/log/messages-20210711:Jul 7 19:43:06 dsm systemd[1]: firewalld.service: Failed with result 'core-dump'. /var/log/messages-20210711:Jul 7 19:43:06 dsm systemd[1]: firewalld.service: Consumed 38min 46.907s CPU time. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f3f596a3083 in ?? () [Current thread is 1 (LWP 2638166)] (gdb) bt full #0 0x00007f3f596a3083 in ?? () No symbol table info available. #1 0x0000000000000000 in ?? () No symbol table info available.
This is a segfault in libnftables. The bug is likely in nftables. Are you making use of any non-common firewalld features? Any errors/warnings in /var/log/firewalld?
(In reply to Eric Garver from comment #1) > This is a segfault in libnftables. The bug is likely in nftables. I noticed that which is odd as it's not even running: systemctl status nftables ○ nftables.service - Netfilter Tables Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:nft(8) > Are you making use of any non-common firewalld features? Any errors/warnings Fail2ban with banaction = firewallcmd-ipset > in /var/log/firewalld? Only warnings like: 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source address="64.39.99.35" port port="http" protocol="tcp" reject type="icmp-port-unreachable"' already in 'FedoraServer' 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source address="64.39.99.35" port port="https" protocol="tcp" reject type="icmp-port-unreachable"' already in 'FedoraServer' 2021-07-07 15:13:30 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="64.39.99.35" port port="http" protocol="tcp" reject type="icmp-port-unreachable"' not in 'FedoraServer' 2021-07-07 15:13:31 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="64.39.99.35" port port="https" protocol="tcp" reject type="icmp-port-unreachable"' not in 'FedoraServer'
(In reply to RobbieTheK from comment #2) > (In reply to Eric Garver from comment #1) > > This is a segfault in libnftables. The bug is likely in nftables. > > I noticed that which is odd as it's not even running: > systemctl status nftables > ○ nftables.service - Netfilter Tables > Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; > vendor preset: disabled) > Active: inactive (dead) > Docs: man:nft(8) firewalld uses nftables directly (via libnftables). The nftables service is completely independent.
(In reply to RobbieTheK from comment #2) > (In reply to Eric Garver from comment #1) [..] > > in /var/log/firewalld? > > Only warnings like: > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > address="64.39.99.35" port port="http" protocol="tcp" reject > type="icmp-port-unreachable"' already in 'FedoraServer' > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > address="64.39.99.35" port port="https" protocol="tcp" reject > type="icmp-port-unreachable"' already in 'FedoraServer' > 2021-07-07 15:13:30 WARNING: NOT_ENABLED: 'rule family="ipv4" source > address="64.39.99.35" port port="http" protocol="tcp" reject > type="icmp-port-unreachable"' not in 'FedoraServer' > 2021-07-07 15:13:31 WARNING: NOT_ENABLED: 'rule family="ipv4" source > address="64.39.99.35" port port="https" protocol="tcp" reject > type="icmp-port-unreachable"' not in 'FedoraServer' There is nothing odd here. I think you're simply hitting an nftables bug in the cache code. What version of nftables are you using? # dnf info nftables
(In reply to Eric Garver from comment #4) > (In reply to RobbieTheK from comment #2) > > (In reply to Eric Garver from comment #1) > [..] > > > in /var/log/firewalld? > > > > Only warnings like: > > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > > address="64.39.99.35" port port="http" protocol="tcp" reject > > type="icmp-port-unreachable"' already in 'FedoraServer' > > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > > address="64.39.99.35" port port="https" protocol="tcp" reject > > type="icmp-port-unreachable"' already in 'FedoraServer' > > 2021-07-07 15:13:30 WARNING: NOT_ENABLED: 'rule family="ipv4" source > > address="64.39.99.35" port port="http" protocol="tcp" reject > > type="icmp-port-unreachable"' not in 'FedoraServer' > > 2021-07-07 15:13:31 WARNING: NOT_ENABLED: 'rule family="ipv4" source > > address="64.39.99.35" port port="https" protocol="tcp" reject > > type="icmp-port-unreachable"' not in 'FedoraServer' > > There is nothing odd here. I think you're simply hitting an nftables bug in > the cache code. > > What version of nftables are you using? > > # dnf info nftables Installed Packages Name : nftables Epoch : 1 Version : 0.9.8 Release : 2.fc34 Architecture : x86_64 Size : 906 k Source : nftables-0.9.8-2.fc34.src.rpm Repository : @System From repo : fedora Summary : Netfilter Tables userspace utillites URL : https://netfilter.org/projects/nftables/ License : GPLv2 Description : Netfilter Tables userspace utilities. Available Packages Name : nftables Epoch : 1 Version : 0.9.8 Release : 2.fc34 Architecture : i686 Size : 370 k Source : nftables-0.9.8-2.fc34.src.rpm Repository : fedora Summary : Netfilter Tables userspace utillites URL : https://netfilter.org/projects/nftables/ License : GPLv2 Description : Netfilter Tables userspace utilities. Is there anything I can provide to the Fail2ban developers that will allow F2B to alert or take action?
(In reply to RobbieTheK from comment #5) > (In reply to Eric Garver from comment #4) > > (In reply to RobbieTheK from comment #2) > > > (In reply to Eric Garver from comment #1) > > [..] > > > > in /var/log/firewalld? > > > > > > Only warnings like: > > > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > > > address="64.39.99.35" port port="http" protocol="tcp" reject > > > type="icmp-port-unreachable"' already in 'FedoraServer' > > > 2021-07-07 14:13:31 WARNING: ALREADY_ENABLED: 'rule family="ipv4" source > > > address="64.39.99.35" port port="https" protocol="tcp" reject > > > type="icmp-port-unreachable"' already in 'FedoraServer' > > > 2021-07-07 15:13:30 WARNING: NOT_ENABLED: 'rule family="ipv4" source > > > address="64.39.99.35" port port="http" protocol="tcp" reject > > > type="icmp-port-unreachable"' not in 'FedoraServer' > > > 2021-07-07 15:13:31 WARNING: NOT_ENABLED: 'rule family="ipv4" source > > > address="64.39.99.35" port port="https" protocol="tcp" reject > > > type="icmp-port-unreachable"' not in 'FedoraServer' > > > > There is nothing odd here. I think you're simply hitting an nftables bug in > > the cache code. > > > > What version of nftables are you using? > > > > # dnf info nftables > > Installed Packages > Name : nftables > Epoch : 1 > Version : 0.9.8 > Release : 2.fc34 > Architecture : x86_64 > Size : 906 k > Source : nftables-0.9.8-2.fc34.src.rpm > Repository : @System > From repo : fedora > Summary : Netfilter Tables userspace utillites > URL : https://netfilter.org/projects/nftables/ > License : GPLv2 > Description : Netfilter Tables userspace utilities. There are a lot of nftables cache changes between v0.9.8 and v0.9.9. I'm going to pass this bug to nftables. It's clear the crash is happening there. Hopefully an update to v0.9.9 will address the issue. $ git log --grep cache --pretty=oneline v0.9.8..v0.9.9 f059a13cc5b cache: check errno before invoking cache_release() 9e119c1187b tests: shell: don't assume fixed handle value in cache/0008_delete_by_handle_0 343ba45fc97 evaluate: don't crash on set definition with incorrect datatype 2fbba267619 evaluate: remove object from cache on delete object command 5356454a3c3 evaluate: remove flowtable from cache on delete flowtable command cb48338faf6 evaluate: remove set from cache on delete set command f018ff20b7e evaluate: remove chain from cache on delete chain command bcbb078efff cache: add hashtable cache for table 874ef8e08db evaluate: add object to the cache 48983c3cf8f cache: missing table cache for several policy objects 9e9b33690b6 evaluate: add flowtable to the cache c508dbfe41a evaluate: add set to the cache 35926c0426b cache: add set_cache_del() and use it c4f131d05cb cache: add hashtable cache for flowtable f57f34a8bf1 cache: add hashtable cache for object f3a82459d97 src: consolidate object cache infrastructure 9c44b8d8fe3 src: consolidate nft_cache infrastructure 5121e574c15 src: pass chain name to chain_cache_find() 027c7cf34be src: unbreak deletion by table handle 0fe89d42e54 cache: bail out if chain list cannot be fetched from kernel 9dfe3fb7e37 cache: add hashtable cache for sets 383d17782d3 cache: check for NULL chain in cache_init() ced1281a061 cache: statify chain_cache_dump() 31b109e4586 src: split chain list in table b7896ade2cd cache: rename chain_htable to cache_chain_ht b7c37a50854 src: move remaining cache functions in rule.c to cache.c e8545ee0fba cache: memleak list of chain > Is there anything I can provide to the Fail2ban developers that will allow > F2B to alert or take action? I don't think so.
It appears nftables-0.9.9-1 is only available for Fedora 35 https://bugzilla.redhat.com/show_bug.cgi?id=1964718 which was pushed June 2. No ETA for Fedora 34?
(In reply to RobbieTheK from comment #7) > It appears nftables-0.9.9-1 is only available for Fedora 35 > https://bugzilla.redhat.com/show_bug.cgi?id=1964718 which was pushed June 2. > No ETA for Fedora 34? None that I know. The nftables package maintainer would have to answer that. You could try the RPM from f35. I don't know if it will install properly.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed.