steps to reproduce: 1. iptables is a symlink to iptables-nft (with iptables-legacy all works fine) 2. I'm not able to reproduce this manually, calling iptables or ferm. Only at boot time. 3. just a minimal debian with only ferm installed $ cat /etc/ferm/ferm.conf table filter { chain BadTcp proto tcp !syn mod conntrack ctstate NEW { mod limit limit 3/minute limit-burst 3 NFLOG nflog-group 0 nflog-prefix "NEW not SYN: "; } chain AllowedTcp mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT; } that produces the following rules: # ferm --remote /etc/ferm/ferm.conf # Generated by ferm 2.4 on Thu May 23 04:56:59 2019 *filter :AllowedTcp - [0:0] :BadTcp - [0:0] -A AllowedTcp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT -A BadTcp --protocol tcp ! --syn --match conntrack --ctstate NEW --match limit --limit 3/minute --limit-burst 3 --jump NFLOG --nflog-group 0 --nflog" COMMIT trying to run it at boot time gives: [ 2.810581] BUG: unable to handle kernel NULL pointer dereference at 0000000000000337 [ 2.811972] #PF error: [normal kernel read fault] [ 2.812727] PGD 0 P4D 0 [ 2.813149] Oops: 0000 [#1] SMP PTI [ 2.813713] CPU: 0 PID: 227 Comm: iptables-restor Not tainted 5.0.0-trunk-amd64 #1 Debian 5.0.2-1~exp1 [ 2.815195] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 2.816509] RIP: 0010:module_put+0xe/0x80 [ 2.817224] Code: 8e 00 48 8b 4d 00 48 85 c9 75 e4 eb 98 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 48 85 ff 74 71 41 54 55 53 <5 [ 2.820387] RSP: 0018:ffffb82d402df990 EFLAGS: 00010286 [ 2.821242] RAX: ffff9b0ffc9fa400 RBX: 0000000000000003 RCX: 0000000000000005 [ 2.822375] RDX: 0000000000000002 RSI: ffffffffc04612d0 RDI: ffffffffffffffff [ 2.823542] RBP: ffff9b0ffbc301b0 R08: 0000000000000000 R09: 0000000000000074 [ 2.824675] R10: ffffb82d402df8f8 R11: ffffe7cfc0f5d508 R12: 0000000000000004 [ 2.825585] R13: 00000000000000ec R14: 00000000fffffff5 R15: 0000000000000007 [ 2.826456] FS: 00007f06a8bfd740(0000) GS:ffff9b0ffea00000(0000) knlGS:0000000000000000 [ 2.827378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2.828036] CR2: 0000000000000337 CR3: 0000000036256000 CR4: 00000000000006f0 [ 2.828873] Call Trace: [ 2.829244] nf_tables_newrule+0x585/0x8c0 [nf_tables] [ 2.829968] nfnetlink_rcv_batch+0x4a1/0x660 [nfnetlink] [ 2.830714] ? nfnetlink_rcv_msg+0x13c/0x260 [nfnetlink] [ 2.831460] ? copyout+0x25/0x30 [ 2.831919] ? _copy_to_iter+0x9d/0x3f0 [ 2.832482] ? __skb_try_recv_datagram+0xcb/0x170 [ 2.833170] ? refcount_inc_checked+0x5/0x30 [ 2.833741] ? __nla_parse+0x34/0x120 [ 2.834265] nfnetlink_rcv+0x106/0x13b [nfnetlink] [ 2.834941] netlink_unicast+0x1ba/0x250 [ 2.835498] netlink_sendmsg+0x204/0x3d0 [ 2.836009] sock_sendmsg+0x36/0x40 [ 2.836423] ___sys_sendmsg+0x295/0x2f0 [ 2.836877] ? page_add_file_rmap+0x13/0x210 [ 2.837372] ? filemap_map_pages+0x1b9/0x390 [ 2.838011] ? refcount_inc_checked+0x5/0x30 [ 2.838599] ? apparmor_capable+0x72/0xa0 [ 2.839151] ? security_capable+0x35/0x50 [ 2.839702] ? release_sock+0x19/0x90 [ 2.840207] __sys_sendmsg+0x57/0xa0 [ 2.840702] do_syscall_64+0x53/0x100 [ 2.841239] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 2.841947] RIP: 0033:0x7f06a8cff914 [ 2.842440] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <3 [ 2.845050] RSP: 002b:00007ffe92365cf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 2.845890] RAX: ffffffffffffffda RBX: 00007ffe92365d10 RCX: 00007f06a8cff914 [ 2.846814] RDX: 0000000000000000 RSI: 00007ffe92366d90 RDI: 0000000000000003 [ 2.847647] RBP: 00007ffe92367410 R08: 0000000000000004 R09: 00007f06a8b99410 [ 2.848478] R10: 00007ffe92366d7c R11: 0000000000000246 R12: 00005652c9eee8f0 [ 2.849402] R13: 00007ffe92369ce0 R14: 00007ffe92365d00 R15: 00007ffe92369d18 [ 2.850403] Modules linked in: nft_limit nft_counter xt_NFLOG xt_limit xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32y [ 2.856394] CR2: 0000000000000337 [ 2.856835] ---[ end trace 0bda5f9a9cded6f1 ]--- [ 2.857542] RIP: 0010:module_put+0xe/0x80 [ 2.858140] Code: 8e 00 48 8b 4d 00 48 85 c9 75 e4 eb 98 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 48 85 ff 74 71 41 54 55 53 <5 [ 2.860755] RSP: 0018:ffffb82d402df990 EFLAGS: 00010286 [ 2.861508] RAX: ffff9b0ffc9fa400 RBX: 0000000000000003 RCX: 0000000000000005 [ 2.862548] RDX: 0000000000000002 RSI: ffffffffc04612d0 RDI: ffffffffffffffff [ 2.863559] RBP: ffff9b0ffbc301b0 R08: 0000000000000000 R09: 0000000000000074 [ 2.864563] R10: ffffb82d402df8f8 R11: ffffe7cfc0f5d508 R12: 0000000000000004 [ 2.865568] R13: 00000000000000ec R14: 00000000fffffff5 R15: 0000000000000007 [ 2.866571] FS: 00007f06a8bfd740(0000) GS:ffff9b0ffea00000(0000) knlGS:0000000000000000 [ 2.867801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2.868465] CR2: 0000000000000337 CR3: 0000000036256000 CR4: 00000000000006f0
I can provide 2Gb qemu image.
This bug can likely be closed, the fixing commit should be b25a31bf0ca091aa8bdb9ab329b0226257568bbe in v5.1-rc3, which was backported to v4.19.44 and v5.0.8.
I confirm that at least 5.2.0-3-amd64 works fine.