Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-152438

Backport fix: nftables segfaults when listing rulesets containing udata created by newer versions

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.1.z
    • rhel-10.0, rhel-9.7
    • nftables
    • None
    • None
    • None
    • rhel-net-firewall
    • ZStream
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Regression Exception
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      After installing Istio in Ambient mode, we see segmentation faults when trying to list the host’s nftables ruleset using the native RHEL/RHCOS `nft` command (versions lower than 1.1.2).

      What is the impact of this issue to you?

      We are observing segmentation faults in `nftables` when multiple versions of the tool are used on the same host. Specifically, when a newer version of `nftables` (f.e, v1.1.2 or later) creates an nft set that includes udata, older versions (v1.1.1 and earlier) can crash when trying to list the ruleset.

      This is especially noticeable in K8s environments running Istio or Calico, where containers use a newer version of `nftables` while the host, or another container on the same node, is still running an older version.

      The crash occurs because older versions of nft are not able to correctly handle/skip udata. This issue was addressed in nftables in the following commit:
      https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Generate a ruleset using a newer nftables version (v1.1.2+) inside a container sharing the host network namespace:  
        podman run --rm -it --privileged --network host quay.io/fedora/fedora:43 /bin/bash
{container}# dnf install -y nftables
{container}# nft add table test
{container}# nft 'add set test dummy { type ipv4_addr; }'
      1. Attempt to list the ruleset on the RHEL/RHCOS host (running an older version like v1.0.4 or v1.0.9) 
        nft list ruleset

      Expected results

      The host `nft` binary should successfully list the ruleset (or safely ignore the `udata` it doesn't understand) without crashing.

      Actual results

      The command fails with:
      `Segmentation fault (core dumped)`

       

      Requested Action:

      Please backport the nftables fix for the `udata` handling crash to the `nftables` packages in the following streams:

      • RHEL-8/RHCOS-8 (v1.0.4)
      • RHEL-9/RHCOS-9 (v1.0.9)
      • RHEL-10 (if applicable)

       

      Additional Info:

       

              psutter@redhat.com Phil Sutter
              sgaddam@redhat.com Gaddam Sridhar
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: