HIPL

libnetfilter-queue and hipfw -A option

Bug #1221371 reported by Miika Komu on 2013-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HIPL	New	High	Pupu Toivonen

Bug Description

The -A flag in the firewall causes it to crash according to Juhani. Apparenently this occurs after the merging of the libnetfilter-queue.

It is unclear to me whether this bug is related (or even a duplicate of) to the other libnetfilter bug (lp:1221361) or not. That is, does the bug occur only with LSI interaction?

info(hipfw/hipfw.c:921@filter_hip): received packet type: UPDATE
info(hipfw/hipfw.c:943@filter_hip): src hit: 2001:0014:afbd:9bd9:352b:7e07:30d6:ed2c
info(hipfw/hipfw.c:944@filter_hip): dst hit: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
info(hipfw/hipfw.c:945@filter_hip): src ip: 130.233.42.5
info(hipfw/hipfw.c:946@filter_hip): dst ip: 193.167.187.149
debug(hipfw/hipfw.c:1051@filter_hip): falling back to default HIP/ESP behavior, target 1
debug(hipfw/conntrack.c:2059@get_tuple_by_hits): connection found,
debug(hipfw/conntrack.c:1736@check_packet): check packet: type 16
debug(hipfw/conntrack.c:591@find_esp_tuple): Esp tuple slist is empty
debug(hipfw/conntrack.c:1458@handle_first_update): existing ESP state does not include current SPI, re-establishing connection state
debug(hipfw/conntrack.c:802@remove_connection): tuple list before:
debug(hipfw/conntrack.c:184@print_tuple_list): TUPLE LIST:
debug(hipfw/conntrack.c:140@print_tuple): next tuple:
debug(hipfw/conntrack.c:141@print_tuple): direction: 0
debug(hipfw/conntrack.c:142@print_tuple): src: : 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
debug(hipfw/conntrack.c:143@print_tuple): dst: : 2001:0014:afbd:9bd9:352b:7e07:30d6:ed2c
debug(hipfw/conntrack.c:140@print_tuple): next tuple:
debug(hipfw/conntrack.c:141@print_tuple): direction: 1
debug(hipfw/conntrack.c:142@print_tuple): src: : 2001:0014:afbd:9bd9:352b:7e07:30d6:ed2c
debug(hipfw/conntrack.c:143@print_tuple): dst: : 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
debug(hipfw/conntrack.c:192@print_tuple_list):
debug(hipfw/conntrack.c:805@remove_connection): esp list before:
debug(hipfw/conntrack.c:167@print_esp_list): ESP LIST:
debug(hipfw/conntrack.c:155@print_esp_tuple): esp_tuple: spi:0xd89a0569 spi_update_id: 0 tuple dir:1
debug(hipfw/conntrack.c:121@print_esp_addresses): ESP dst addr list:
debug(hipfw/conntrack.c:124@print_esp_addresses): dst address: : 193.167.187.149
debug(hipfw/conntrack.c:130@print_esp_addresses):

Program received signal SIGSEGV, Segmentation fault.
print_esp_list () at hipfw/conntrack.c:169
169 if (list->data) {
(gdb)

Revision history for this message

Miika Komu (miika-iki) wrote on 2013-09-05:

Did you have some ACL rules configured for the firewall?

Revision history for this message

Pupu Toivonen (scolphoy) wrote on 2013-09-08:

I did have ACL rules configured at both ends.

INPUT -dst_hit local_hit ACCEPT
OUTPUT -src_hit local_hit ACCEPT

With the HIT in place of local_hit. For some reason I'm not able to repeat this now.
The "sudo-problem" seems to happen when hipfw is started with -lA also, I am thinking they are genuinely two different bugs.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.