On Tue, Jun 12, 2018 at 11:02:32AM +0200, Florian Westphal wrote:
Ale mystic@tin.it wrote:
[ cc stable, could you please queue below fix? ]
When I try to use CT HELPER for the ipv6, nft it dies and I have to restart the pc. But it works well for ip and inet.
nft add ct helper ip6 filter ftp-std { type "ftp" protocol tcp; } nft add rule ip6 filter WAN-IN iifname $IF_WAN_1 tcp sport $UP_PORTS tcp dport $UP_PORTS ct helper set "ftp-std" counter accept
Kernel: RIP: strlen+0x0/0x20 RSP: ffffae1b4c67f980 kernel: Code: f8 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 48 >
This is most likely fixed in 4.17 by
commit b71534583f22d08c3e3563bf5100aeb5f5c9fbe5 netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump
The bug was added in Linux 4.12.
Queued up to 4.16.y and 4.14.y, thanks.
greg k-h