CentOS 8 nftable segmentation fault with big ip set

Issues related to configuring your network
Post Reply
rubus
Posts: 2
Joined: 2020/12/13 17:13:46

CentOS 8 nftable segmentation fault with big ip set

Post by rubus » 2020/12/13 17:45:55

Hello to all.
I am newbie to firewalls especially in nftables.

I try to drop package from regions/"bad IPs" in result I have list of 1103505 CIDRs.
My nftable configuration have 2 files.

main.ntf

Code: Select all

flush ruleset

include "./bad_actors_set"


table inet firewall {

        # protocols to allow
        set allowed_protocols {
                type inet_proto
                elements = { icmp, icmpv6 }
        }

        # interfaces to accept any traffic on
        set allowed_interfaces {
                type ifname
                elements = { "lo" }
        }

        # services to allow
        set allowed_tcp_dports {
                type inet_service
                elements = { ssh, http, https }
        }
        # ip of bad actors to ban
        set bad_actors{
                type ipv4_addr
                flags interval
                elements={$bad_actors_set}
        }

        # this chain gathers all accept conditions
        chain allow {
                ct state established,related accept

                meta l4proto @allowed_protocols accept
                iifname @allowed_interfaces accept
                tcp dport @allowed_tcp_dports accept
        }

        # base-chain for traffic to this host
        chain INPUT {
                type filter hook input priority filter + 20
                policy accept

                ip saddr @bad_actors counter drop
                jump allow
                reject with icmpx type port-unreachable
        }
}
bad_actors_set

Code: Select all

define bad_actors_set={
0.0.0.0/8,
1.0.1.0/24,
1.0.2.0/23,
1.0.4.1,
1.0.5.1,
and a lot of more... total 1103505 CIDRs
}
when I try to reload ntf a get error

Code: Select all

#nft -f main.nft
Segmentation fault
Is this known issue? Any known workarounds? Or simply I do something really wrong (but i would expect different error message).

More info about my system.

Code: Select all

# uname -a
Linux hestia 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
#cat /etc/redhat-release 
CentOS Linux release 8.3.2011
# nft -v
nftables v0.9.3 (Topsy)

rubus
Posts: 2
Joined: 2020/12/13 17:13:46

Re: CentOS 8 nftable segmentation fault with big ip set

Post by rubus » 2020/12/14 21:40:18

Bug report was created for this issue: https://bugs.centos.org/view.php?id=17942
You can find more details there -> full config of nft.

User avatar
TrevorH
Forum Moderator
Posts: 30337
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 8 nftable segmentation fault with big ip set

Post by TrevorH » 2020/12/14 22:06:04

There's no point in raising a bug on bugs.centos.org as no-one there can do anything about it. Report it on bugzilla.redhat.com instead.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 8 - Networking Support”