Creating a rule that jumps to a chain which you subsequently delete will result in the kernel throwing a BUG message with the following: kernel BUG at net/netfilter/nf_tables_api.c:1014! invalid opcode: 0000 [#1] SMP Modules linked in: nft_meta nft_reject_ipv4 nft_hash nft_rbtree nf_tables_ipv4_ The host displays no more console output suggesting a panic however the console is no longer responsive and does not respond to ping. Here is the interactive session I used. # nft -i nft> add table filter nft> add chain filter input { type filter hook input priority 0; } nft> add chain filter test nft> add rule filter input jump test nft> delete chain filter test
bugzilla-daemon@bugzilla.kernel.org schrieb: >https://bugzilla.kernel.org/show_bug.cgi?id=69341 > > Bug ID: 69341 > Summary: Kernel BUG/Panic deleting chain used in jump in > nftables > Product: Networking > Version: 2.5 > Kernel Version: 3.13.0 > Hardware: x86-64 > OS: Linux > Tree: Fedora > Status: NEW > Severity: high > Priority: P1 > Component: Netfilter/Iptables > Assignee: networking_netfilter-iptables@kernel-bugs.osdl.org > Reporter: deleriux1@gmail.com > Regression: No > >Creating a rule that jumps to a chain which you subsequently delete >will >result in the kernel throwing a BUG message with the following: > >kernel BUG at net/netfilter/nf_tables_api.c:1014! >invalid opcode: 0000 [#1] SMP >Modules linked in: nft_meta nft_reject_ipv4 nft_hash nft_rbtree >nf_tables_ipv4_ > >The host displays no more console output suggesting a panic however the >console >is no longer responsive and does not respond to ping. > >Here is the interactive session I used. > ># nft -i >nft> add table filter >nft> add chain filter input { type filter hook input priority 0; } >nft> add chain filter test >nft> add rule filter input jump test >nft> delete chain filter test > >-- >You are receiving this mail because: >You are watching the assignee of the bug. Thx, I've queued up a fix. Currently travelling, will send it later today.
Created attachment 123291 [details] Check chain use count before allowing deletion Here we go. Please test whether this fixes the problem. Thanks.
Looks good. The two mechs that I was able to cause this problem have gone away. Provided the new transcript in case it is reporting anything you dont expect. nft> add table filter nft> add chain ip filter input { type filter hook input priority 0; } nft> add chain ip filter test nft> add rule ip filter input jump test nft> delete chain ip filter test <cli>:1:1-27: Error: Could not delete chain: Device or resource busy delete chain ip filter test ^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add map filter mymap { type ifindex : verdict ; } nft> add element filter mymap { lo : jump test } nft> add element filter mymap { eth0 : jump test } nft> list table filter table ip filter { map mymap { type ifindex : verdict elements = { eth0 : jump test, lo : jump test} } chain input { type filter hook input priority 0; jump test # handle 3 } chain test { } } nft> delete rule filter input handle 3 nft> delete chain ip filter test <cli>:1:1-27: Error: Could not delete chain: Device or resource busy delete chain ip filter test ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Thanks, patch pushed upstream.