Segmentation fault during commit after insert rule

[codecat555]

Hi,

I've been hitting an error and segmentation fault which has been hard to nail down. I finally boiled it down to a minimal test case. Would you please take a look?

Here's the code -

import sys
import iptc

if sys.argv[0] == 4:
    table = iptc.Table(iptc.Table.FILTER, autocommit=False)
else:
    table = iptc.Table6(iptc.Table6.FILTER, autocommit=False)

chain = iptc.Chain(table, 'INPUT')

table.refresh()

rule = iptc.Rule()
rule.protocol = 'ip'
rule.create_target('ACCEPT')

chain.insert_rule(rule, 1)

table.commit()

Here's how I am running it -

[root@your ~]# cat iptables.minimal
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v --line-numbers
[root@cmcrae-6 ~]# bash iptables.minimal; python showit4.py 4
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        1    52 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination
Segmentation fault
[root@cmcrae-6 ~]#

System -

CentOS Linux release 7.2.1511 (Core)
iptables-services-1.4.21-16.el7.x86_64
iptables-1.4.21-16.el7.x86_64

[jllorente]

I couldn't reproduce the issue in a VM running Ubuntu 16.04 with kernel 4.8.0-58-generic and iptables v1.6.0

[codecat555]

Hmmm. I tried it on 2 (similarly configured) systems. Also tried before and after reboot. I would be happy just knowing how to avoid the problem. Do you have any suggestions for how I might dig deeper? I didn't get anything useful with pdb or strace. I guess I could compile libiptc with debug symbols and fire up gdb. Is that how you would do it?

…

On Mar 18, 2018 11:16 PM, "jllorente" ***@***.***> wrote: I couldn't reproduce the issue in a VM running Ubuntu 16.04 with kernel 4.8.0-58-generic and iptables v1.6.0 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#232 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AQznR72vdTW_C8ny2z1hfhrjiB7RLStaks5tf01PgaJpZM4SvoY4> .

[jllorente]

I have never really worked with netlink development, so I cannot really say.
How about trying a more recent version of iptables? Maybe that could help isolate the problem :)

[ldx]

@codecat555 can you try latest master from python-iptables? I can't repro the problem either.

[codecat555]

I upgraded to the latest iptables rpm available for Centos - 1.4.21-18.3.el7_4 - same result.

So, I compiled iptables-1.6.2 and see a malloc error in python now. The version I'm running is 2.7.5-58.el7, which is the latest available as a centos.org rpm.

The rest of my test suite seems to be working normally, with both the old and new iptables code.

Any suggestions on what I might do next? I guess I could look for a newer version of python 2.7...

[root@your ~]# iptables -v
iptables v1.6.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@your ~]# bash iptables.minimal ; python showit4.py 4
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DSM-Policy-INPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain JUST-DROP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain LOG-AND-CONT (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain LOG-AND-DROP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination
*** Error in `python': malloc(): memory corruption: 0x000000000081be40 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7dd7d)[0x7ffff6da4d7d]
/lib64/libc.so.6(__libc_malloc+0x4c)[0x7ffff6da710c]
/lib64/libpython2.7.so.1.0(PyObject_Malloc+0x5d)[0x7ffff7a98d8d]
/lib64/libpython2.7.so.1.0(_PyObject_GC_Malloc+0x19)[0x7ffff7b24069]
/lib64/libpython2.7.so.1.0(_PyObject_GC_NewVar+0x26)[0x7ffff7b241a6]
/lib64/libpython2.7.so.1.0(PyFrame_New+0x2f4)[0x7ffff7a7f1c4]
/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x6769)[0x7ffff7af3529]
/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x7ed)[0x7ffff7af5efd]
/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7ffff7af6002]
/lib64/libpython2.7.so.1.0(+0x10043f)[0x7ffff7b0f43f]
/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x7e)[0x7ffff7b105fe]
/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0xe9)[0x7ffff7b11889]
/lib64/libpython2.7.so.1.0(Py_Main+0xc9f)[0x7ffff7b22a3f]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff6d48c05]
python[0x40071e]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:01 140997                             /usr/bin/python2.7
00600000-00601000 r--p 00000000 fd:01 140997                             /usr/bin/python2.7
00601000-00602000 rw-p 00001000 fd:01 140997                             /usr/bin/python2.7
00602000-0088b000 rw-p 00000000 00:00 0                                  [heap]
7fffe4000000-7fffe4021000 rw-p 00000000 00:00 0
7fffe4021000-7fffe8000000 ---p 00000000 00:00 0
7fffeb66c000-7fffeb681000 r-xp 00000000 fd:01 131096                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fffeb681000-7fffeb880000 ---p 00015000 fd:01 131096                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fffeb880000-7fffeb881000 r--p 00014000 fd:01 131096                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fffeb881000-7fffeb882000 rw-p 00015000 fd:01 131096                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fffeb882000-7fffeb883000 r-xp 00000000 fd:01 3898                       /usr/lib64/xtables/libxt_standard.so
7fffeb883000-7fffeba82000 ---p 00001000 fd:01 3898                       /usr/lib64/xtables/libxt_standard.so
7fffeba82000-7fffeba83000 r--p 00000000 fd:01 3898                       /usr/lib64/xtables/libxt_standard.so
7fffeba83000-7fffeba84000 rw-p 00001000 fd:01 3898                       /usr/lib64/xtables/libxt_standard.so
7fffeba84000-7fffeba8a000 r-xp 00000000 fd:01 139531                     /usr/lib64/libip6tc.so.0.1.0
7fffeba8a000-7fffebc8a000 ---p 00006000 fd:01 139531                     /usr/lib64/libip6tc.so.0.1.0
7fffebc8a000-7fffebc8b000 r--p 00006000 fd:01 139531                     /usr/lib64/libip6tc.so.0.1.0
7fffebc8b000-7fffebc8c000 rw-p 00007000 fd:01 139531                     /usr/lib64/libip6tc.so.0.1.0
7fffebc8c000-7fffebc92000 r-xp 00000000 fd:01 139529                     /usr/lib64/libip4tc.so.0.1.0
7fffebc92000-7fffebe91000 ---p 00006000 fd:01 139529                     /usr/lib64/libip4tc.so.0.1.0
7fffebe91000-7fffebe92000 r--p 00005000 fd:01 139529                     /usr/lib64/libip4tc.so.0.1.0
7fffebe92000-7fffebe93000 rw-p 00006000 fd:01 139529                     /usr/lib64/libip4tc.so.0.1.0
7fffebe93000-7fffebe94000 r-xp 00000000 fd:01 145979                     /usr/lib64/python2.7/site-packages/libxtwrapper.so
7fffebe94000-7fffec094000 ---p 00001000 fd:01 145979                     /usr/lib64/python2.7/site-packages/libxtwrapper.so
7fffec094000-7fffec095000 r--p 00001000 fd:01 145979                     /usr/lib64/python2.7/site-packages/libxtwrapper.so
7fffec095000-7fffec096000 rw-p 00002000 fd:01 145979                     /usr/lib64/python2.7/site-packages/libxtwrapper.so
7fffec096000-7fffec0a1000 r-xp 00000000 fd:01 146134                     /usr/lib64/libxtables.so.12.0.0
7fffec0a1000-7fffec2a1000 ---p 0000b000 fd:01 146134                     /usr/lib64/libxtables.so.12.0.0
7fffec2a1000-7fffec2a2000 r--p 0000b000 fd:01 146134                     /usr/lib64/libxtables.so.12.0.0
7fffec2a2000-7fffec2a3000 rw-p 0000c000 fd:01 146134                     /usr/lib64/libxtables.so.12.0.0
7fffec2a3000-7fffec3a5000 rw-p 00000000 00:00 0
7fffec3a5000-7fffec3aa000 r-xp 00000000 fd:01 140273                     /usr/lib64/python2.7/lib-dynload/selectmodule.so
7fffec3aa000-7fffec5a9000 ---p 00005000 fd:01 140273                     /usr/lib64/python2.7/lib-dynload/selectmodule.so
7fffec5a9000-7fffec5aa000 r--p 00004000 fd:01 140273                     /usr/lib64/python2.7/lib-dynload/selectmodule.so
7fffec5aa000-7fffec5ac000 rw-p 00005000 fd:01 140273                     /usr/lib64/python2.7/lib-dynload/selectmodule.so
7fffec5ac000-7fffec5b0000 r-xp 00000000 fd:01 140278                     /usr/lib64/python2.7/lib-dynload/timemodule.so
7fffec5b0000-7fffec7af000 ---p 00004000 fd:01 140278                     /usr/lib64/python2.7/lib-dynload/timemodule.so
7fffec7af000-7fffec7b0000 r--p 00003000 fd:01 140278                     /usr/lib64/python2.7/lib-dynload/timemodule.so
7fffec7b0000-7fffec7b2000 rw-p 00004000 fd:01 140278                     /usr/lib64/python2.7/lib-dynload/timemodule.so
7fffec7b2000-7fffec7b7000 r-xp 00000000 fd:01 140275                     /usr/lib64/python2.7/lib-dynload/stropmodule.so
7fffec7b7000-7fffec9b6000 ---p 00005000 fd:01 140275                     /usr/lib64/python2.7/lib-dynload/stropmodule.so
7fffec9b6000-7fffec9b7000 r--p 00004000 fd:01 140275                     /usr/lib64/python2.7/lib-dynload/stropmodule.so
7fffec9b7000-7fffec9b9000 rw-p 00005000 fd:01 140275                     /usr/lib64/python2.7/lib-dynload/stropmodule.so
7fffec9b9000-7fffec9bc000 r-xp 00000000 fd:01 140257                     /usr/lib64/python2.7/lib-dynload/fcntlmodule.so
7fffec9bc000-7fffecbbb000 ---p 00003000 fd:01 140257                     /usr/lib64/python2.7/lib-dynload/fcntlmodule.so
7fffecbbb000-7fffecbbc000 r--p 00002000 fd:01 140257                     /usr/lib64/python2.7/lib-dynload/fcntlmodule.so
7fffecbbc000-7fffecbbd000 rw-p 00003000 fd:01 140257                     /usr/lib64/python2.7/lib-dynload/fcntlmodule.so
7fffecbbd000-7fffecbc0000 r-xp 00000000 fd:01 140242                     /usr/lib64/python2.7/lib-dynload/_randommodule.so
7fffecbc0000-7fffecdbf000 ---p 00003000 fd:01 140242                     /usr/lib64/python2.7/lib-dynload/_randommodule.so
7fffecdbf000-7fffecdc0000 r--p 00002000 fd:01 140242                     /usr/lib64/python2.7/lib-dynload/_randommodule.so
7fffecdc0000-7fffecdc1000 rw-p 00003000 fd:01 140242                     /usr/lib64/python2.7/lib-dynload/_randommodule.so
7fffecdc1000-7fffecdc5000 r-xp 00000000 fd:01 140233                     /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fffecdc5000-7fffecfc4000 ---p 00004000 fd:01 140233                     /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fffecfc4000-7fffecfc5000 r--p 00003000 fd:01 140233                     /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fffecfc5000-7fffecfc6000 rw-p 00004000 fd:01 140233                     /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fffecfc6000-7fffecfc7000 rw-p 00000000 00:00 0
7fffecfc7000-7fffecfcc000 r-xp 00000000 fd:01 140249                     /usr/lib64/python2.7/lib-dynload/binascii.so
7fffecfcc000-7fffed1cb000 ---p 00005000 fd:01 140249                     /usr/lib64/python2.7/lib-dynload/binascii.so
7fffed1cb000-7fffed1cc000 r--p 00004000 fd:01 140249                     /usr/lib64/python2.7/lib-dynload/binascii.so
7fffed1cc000-7fffed1cd000 rw-p 00005000 fd:01 140249                     /usr/lib64/python2.7/lib-dynload/binascii.so
7fffed1cd000-7fffed1d4000 r-xp 00000000 fd:01 140264                     /usr/lib64/python2.7/lib-dynload/math.so
7fffed1d4000-7fffed3d3000 ---p 00007000 fd:01 140264                     /usr/lib64/python2.7/lib-dynload/math.so
7fffed3d3000-7fffed3d4000 r--p 00006000 fd:01 140264                     /usr/lib64/python2.7/lib-dynload/math.so
7fffed3d4000-7fffed3d6000 rw-p 00007000 fd:01 140264                     /usr/lib64/python2.7/lib-dynload/math.so
7fffed3d6000-7fffed417000 rw-p 00000000 00:00 0
7fffed417000-7fffed433000 r-xp 00000000 fd:01 140236                     /usr/lib64/python2.7/lib-dynload/_io.so
7fffed433000-7fffed632000 ---p 0001c000 fd:01 140236                     /usr/lib64/python2.7/lib-dynload/_io.so
7fffed632000-7fffed633000 r--p 0001b000 fd:01 140236                     /usr/lib64/python2.7/lib-dynload/_io.so
7fffed633000-7fffed63d000 rw-p 0001c000 fd:01 140236                     /usr/lib64/python2.7/lib-dynload/_io.so
7fffed63d000-7fffed69d000 r-xp 00000000 fd:01 136376                     /usr/lib64/libpcre.so.1.2.0
7fffed69d000-7fffed89c000 ---p 00060000 fd:01 136376                     /usr/lib64/libpcre.so.1.2.0
7fffed89c000-7fffed89d000 r--p 0005f000 fd:01 136376                     /usr/lib64/libpcre.so.1.2.0
7fffed89d000-7fffed89e000 rw-p 00060000 fd:01 136376                     /usr/lib64/libpcre.so.1.2.0
7fffed89e000-7fffed8c2000 r-xp 00000000 fd:01 144818                     /usr/lib64/libselinux.so.1
7fffed8c2000-7fffedac1000 ---p 00024000 fd:01 144818                     /usr/lib64/libselinux.so.1
7fffedac1000-7fffedac2000 r--p 00023000 fd:01 144818                     /usr/lib64/libselinux.so.1
7fffedac2000-7fffedac3000 rw-p 00024000 fd:01 144818                     /usr/lib64/libselinux.so.1
7fffedac3000-7fffedac5000 rw-p 00000000 00:00 0
7fffedac5000-7fffedadb000 r-xp 00000000 fd:01 136019                     /usr/lib64/libresolv-2.17.so
7fffedadb000-7fffedcdb000 ---p 00016000 fd:01 136019                     /usr/lib64/libresolv-2.17.so
7fffedcdb000-7fffedcdc000 r--p 00016000 fd:01 136019                     /usr/lib64/libresolv-2.17.so
7fffedcdc000-7fffedcdd000 rw-p 00017000 fd:01 136019                     /usr/lib64/libresolv-2.17.so
7fffedcdd000-7fffedcdf000 rw-p 00000000 00:00 0
7fffedcdf000-7fffedce2000 r-xp 00000000 fd:01 137137                     /usr/lib64/libkeyutils.so.1.5
7fffedce2000-7fffedee1000 ---p 00003000 fd:01 137137                     /usr/lib64/libkeyutils.so.1.5
7fffedee1000-7fffedee2000 r--p 00002000 fd:01 137137                     /usr/lib64/libkeyutils.so.1.5
7fffedee2000-7fffedee3000 rw-p 00003000 fd:01 137137                     /usr/lib64/libkeyutils.so.1.5
7fffedee3000-7fffedef0000 r-xp 00000000 fd:01 139619                     /usr/lib64/libkrb5support.so.0.1
7fffedef0000-7fffee0ef000 ---p 0000d000 fd:01 139619                     /usr/lib64/libkrb5support.so.0.1
7fffee0ef000-7fffee0f0000 r--p 0000c000 fd:01 139619                     /usr/lib64/libkrb5support.so.0.1
7fffee0f0000-7fffee0f1000 rw-p 0000d000 fd:01 139619                     /usr/lib64/libkrb5support.so.0.1
7fffee0f1000-7fffee122000 r-xp 00000000 fd:01 139607                     /usr/lib64/libk5crypto.so.3.1
7fffee122000-7fffee321000 ---p 00031000 fd:01 139607                     /usr/lib64/libk5crypto.so.3.1
7fffee321000-7fffee323000 r--p 00030000 fd:01 139607                     /usr/lib64/libk5crypto.so.3.1
7fffee323000-7fffee324000 rw-p 00032000 fd:01 139607                     /usr/lib64/libk5crypto.so.3.1
7fffee324000-7fffee327000 r-xp 00000000 fd:01 136394                     /usr/lib64/libcom_err.so.2.1
7fffee327000-7fffee526000 ---p 00003000 fd:01 136394                     /usr/lib64/libcom_err.so.2.1
7fffee526000-7fffee527000 r--p 00002000 fd:01 136394                     /usr/lib64/libcom_err.so.2.1
7fffee527000-7fffee528000 rw-p 00003000 fd:01 136394                     /usr/lib64/libcom_err.so.2.1
7fffee528000-7fffee600000 r-xp 00000000 fd:01 139617                     /usr/lib64/libkrb5.so.3.3
7fffee600000-7fffee7ff000 ---p 000d8000 fd:01 139617                     /usr/lib64/libkrb5.so.3.3
7fffee7ff000-7fffee80d000 r--p 000d7000 fd:01 139617                     /usr/lib64/libkrb5.so.3.3
7fffee80d000-7fffee810000 rw-p 000e5000 fd:01 139617                     /usr/lib64/libkrb5.so.3.3
7fffee810000-7fffee85a000 r-xp 00000000 fd:01 139603                     /usr/lib64/libgssapi_krb5.so.2.2
7fffee85a000-7fffeea5a000 ---p 0004a000 fd:01 139603                     /usr/lib64/libgssapi_krb5.so.2.2
7fffeea5a000-7fffeea5b000 r--p 0004a000 fd:01 139603                     /usr/lib64/libgssapi_krb5.so.2.2
7fffeea5b000-7fffeea5d000 rw-p 0004b000 fd:01 139603                     /usr/lib64/libgssapi_krb5.so.2.2
7fffeea5d000-7fffeecd6000 r-xp 00000000 fd:01 142982                     /usr/lib64/libcrypto.so.1.0.2l
7fffeecd6000-7fffeeed5000 ---p 00279000 fd:01 142982                     /usr/lib64/libcrypto.so.1.0.2l
7fffeeed5000-7fffeef02000 rw-p 00278000 fd:01 142982                     /usr/lib64/libcrypto.so.1.0.2l
7fffeef02000-7fffeef06000 rw-p 00000000 00:00 0
7fffeef06000-7fffeef69000 r-xp 00000000 fd:01 142971                     /usr/lib64/libssl.so.1.0.2l
7fffeef69000-7fffef168000 ---p 00063000 fd:01 142971                     /usr/lib64/libssl.so.1.0.2l
7fffef168000-7fffef173000 rw-p 00062000 fd:01 142971                     /usr/lib64/libssl.so.1.0.2l
7fffef173000-7fffef186000 r-xp 00000000 fd:01 140245                     /usr/lib64/python2.7/lib-dynload/_ssl.so
7fffef186000-7fffef385000 ---p 00013000 fd:01 140245                     /usr/lib64/python2.7/lib-dynload/_ssl.so
7fffef385000-7fffef386000 r--p 00012000 fd:01 140245                     /usr/lib64/python2.7/lib-dynload/_ssl.so
7fffef386000-7fffef38a000 rw-p 00013000 fd:01 140245                     /usr/lib64/python2.7/lib-dynload/_ssl.so
7fffef38a000-7fffef38d000 r-xp 00000000 fd:01 140232                     /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7fffef38d000-7fffef58c000 ---p 00003000 fd:01 140232                     /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7fffef58c000-7fffef58d000 r--p 00002000 fd:01 140232                     /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7fffef58d000-7fffef58e000 rw-p 00003000 fd:01 140232                     /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7fffef58e000-7fffef59d000 r-xp 00000000 fd:01 140243                     /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7fffef59d000-7fffef79c000 ---p 0000f000 fd:01 140243                     /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7fffef79c000-7fffef79d000 r--p 0000e000 fd:01 140243                     /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7fffef79d000-7fffef7a2000 rw-p 0000f000 fd:01 140243                     /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7fffef7a2000-7fffef7a9000 r-xp 00000000 fd:01 140246                     /usr/lib64/python2.7/lib-dynload/_struct.so
7fffef7a9000-7fffef9a8000 ---p 00007000 fd:01 140246                     /usr/lib64/python2.7/lib-dynload/_struct.so
7fffef9a8000-7fffef9a9000 r--p 00006000 fd:01 140246                     /usr/lib64/python2.7/lib-dynload/_struct.so
7fffef9a9000-7fffef9ab000 rw-p 00007000 fd:01 140246                     /usr/lib64/python2.7/lib-dynload/_struct.so
7fffef9ab000-7fffef9b2000 r-xp 00000000 fd:01 136607                     /usr/lib64/libffi.so.6.0.1
7fffef9b2000-7fffefbb1000 ---p 00007000 fd:01 136607                     /usr/lib64/libffi.so.6.0.1
7fffefbb1000-7fffefbb2000 r--p 00006000 fd:01 136607                     /usr/lib64/libffi.so.6.0.1
7fffefbb2000-7fffefbb3000 rw-p 00007000 fd:01 136607                     /usr/lib64/libffi.so.6.0.1
7fffefbb3000-7fffefbcd000 r-xp 00000000 fd:01 140228                     /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fffefbcd000-7fffefdcc000 ---p 0001a000 fd:01 140228                     /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fffefdcc000-7fffefdcd000 r--p 00019000 fd:01 140228                     /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fffefdcd000-7fffefdd1000 rw-p 0001a000 fd:01 140228                     /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fffefdd1000-7fffefdd5000 r-xp 00000000 fd:01 140252                     /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fffefdd5000-7fffeffd4000 ---p 00004000 fd:01 140252                     /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fffeffd4000-7fffeffd5000 r--p 00003000 fd:01 140252                     /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fffeffd5000-7fffeffd7000 rw-p 00004000 fd:01 140252                     /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fffeffd7000-7fffeffda000 r-xp 00000000 fd:01 140234                     /usr/lib64/python2.7/lib-dynload/_heapq.so
7fffeffda000-7ffff01d9000 ---p 00003000 fd:01 140234                     /usr/lib64/python2.7/lib-dynload/_heapq.so
7ffff01d9000-7ffff01da000 r--p 00002000 fd:01 140234                     /usr/lib64/python2.7/lib-dynload/_heapq.so
7ffff01da000-7ffff01dc000 rw-p 00003000 fd:01 140234                     /usr/lib64/python2.7/lib-dynload/_heapq.so
7ffff01dc000-7ffff01e6000 r-xp 00000000 fd:01 140262                     /usr/lib64/python2.7/lib-dynload/itertoolsmodule.so
7ffff01e6000-7ffff03e5000 ---p 0000a000 fd:01 140262                     /usr/lib64/python2.7/lib-dynload/itertoolsmodule.so
7ffff03e5000-7ffff03e6000 r--p 00009000 fd:01 140262                     /usr/lib64/python2.7/lib-dynload/itertoolsmodule.so
7ffff03e6000-7ffff03eb000 rw-p 0000a000 fd:01 140262                     /usr/lib64/python2.7/lib-dynload/itertoolsmodule.so
7ffff03eb000-7ffff03f4000 r-xp 00000000 fd:01 140267                     /usr/lib64/python2.7/lib-dynload/operator.so
7ffff03f4000-7ffff05f3000 ---p 00009000 fd:01 140267                     /usr/lib64/python2.7/lib-dynload/operator.so
7ffff05f3000-7ffff05f4000 r--p 00008000 fd:01 140267                     /usr/lib64/python2.7/lib-dynload/operator.so
7ffff05f4000-7ffff05f6000 rw-p 00009000 fd:01 140267                     /usr/lib64/python2.7/lib-dynload/operator.so
7ffff05f6000-7ffff05fc000 r-xp 00000000 fd:01 140225                     /usr/lib64/python2.7/lib-dynload/_collectionsmodule.so
7ffff05fc000-7ffff07fb000 ---p 00006000 fd:01 140225                     /usr/lib64/python2.7/lib-dynload/_collectionsmodule.so
7ffff07fb000-7ffff07fc000 r--p 00005000 fd:01 140225                     /usr/lib64/python2.7/lib-dynload/_collectionsmodule.so
7ffff07fc000-7ffff07fe000 rw-p 00006000 fd:01 140225                     /usr/lib64/python2.7/lib-dynload/_collectionsmodule.so
7ffff07fe000-7ffff6d27000 r--p 00000000 fd:01 144719                     /usr/lib/locale/locale-archive
7ffff6d27000-7ffff6edf000 r-xp 00000000 fd:01 135991                     /usr/lib64/libc-2.17.so
7ffff6edf000-7ffff70df000 ---p 001b8000 fd:01 135991                     /usr/lib64/libc-2.17.so
7ffff70df000-7ffff70e3000 r--p 001b8000 fd:01 135991                     /usr/lib64/libc-2.17.so
7ffff70e3000-7ffff70e5000 rw-p 001bc000 fd:01 135991                     /usr/lib64/libc-2.17.so
7ffff70e5000-7ffff70ea000 rw-p 00000000 00:00 0
7ffff70ea000-7ffff71eb000 r-xp 00000000 fd:01 135999                     /usr/lib64/libm-2.17.so
7ffff71eb000-7ffff73ea000 ---p 00101000 fd:01 135999                     /usr/lib64/libm-2.17.so
7ffff73ea000-7ffff73eb000 r--p 00100000 fd:01 135999                     /usr/lib64/libm-2.17.so
7ffff73eb000-7ffff73ec000 rw-p 00101000 fd:01 135999                     /usr/lib64/libm-2.17.so
7ffff73ec000-7ffff73ee000 r-xp 00000000 fd:01 136025                     /usr/lib64/libutil-2.17.so
7ffff73ee000-7ffff75ed000 ---p 00002000 fd:01 136025                     /usr/lib64/libutil-2.17.so
7ffff75ed000-7ffff75ee000 r--p 00001000 fd:01 136025                     /usr/lib64/libutil-2.17.so
7ffff75ee000-7ffff75ef000 rw-p 00002000 fd:01 136025                     /usr/lib64/libutil-2.17.so
7ffff75ef000-7ffff75f1000 r-xp 00000000 fd:01 135997                     /usr/lib64/libdl-2.17.so
7ffff75f1000-7ffff77f1000 ---p 00002000 fd:01 135997                     /usr/lib64/libdl-2.17.so
7ffff77f1000-7ffff77f2000 r--p 00002000 fd:01 135997                     /usr/lib64/libdl-2.17.so
7ffff77f2000-7ffff77f3000 rw-p 00003000 fd:01 135997                     /usr/lib64/libdl-2.17.so
7ffff77f3000-7ffff780a000 r-xp 00000000 fd:01 136017                     /usr/lib64/libpthread-2.17.so
7ffff780a000-7ffff7a09000 ---p 00017000 fd:01 136017                     /usr/lib64/libpthread-2.17.so
7ffff7a09000-7ffff7a0a000 r--p 00016000 fd:01 136017                     /usr/lib64/libpthread-2.17.so
7ffff7a0a000-7ffff7a0b000 rw-p 00017000 fd:01 136017                     /usr/lib64/libpthread-2.17.so
7ffff7a0b000-7ffff7a0f000 rw-p 00000000 00:00 0
7ffff7a0f000-7ffff7b8c000 r-xp 00000000 fd:01 139815                     /usr/lib64/libpython2.7.so.1.0
7ffff7b8c000-7ffff7d8c000 ---p 0017d000 fd:01 139815                     /usr/lib64/libpython2.7.so.1.0
7ffff7d8c000-7ffff7d8e000 r--p 0017d000 fd:01 139815                     /usr/lib64/libpython2.7.so.1.0
7ffff7d8e000-7ffff7dcc000 rw-p 0017f000 fd:01 139815                     /usr/lib64/libpython2.7.so.1.0
7ffff7dcc000-7ffff7ddb000 rw-p 00000000 00:00 0
7ffff7ddb000-7ffff7dfc000 r-xp 00000000 fd:01 144721                     /usr/lib64/ld-2.17.so
7ffff7e37000-7ffff7f3b000 rw-p 00000000 00:00 0
7ffff7f6c000-7ffff7ff3000 rw-p 00000000 00:00 0
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-s 00000000 fd:04 29                         /tmp/ffiaRNtZZ (deleted)
7ffff7ff8000-7ffff7ff9000 r-xs 00000000 fd:04 29                         /tmp/ffiaRNtZZ (deleted)
7ffff7ff9000-7ffff7ffa000 rw-p 00000000 00:00 0
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00021000 fd:01 144721                     /usr/lib64/ld-2.17.so
7ffff7ffd000-7ffff7ffe000 rw-p 00022000 fd:01 144721                     /usr/lib64/ld-2.17.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
[root@your ~]#

BTW, my kernel version is 3.10.0-693.2.2.el7.

[ldx]

@codecat555 can you try to create a new virtualenv, install python-iptables from latest master in it, and run your test script?

[codecat555]

Ok, I installed a system using the Centos 7.4.1708 Minimal ISO with all default settings.

I then removed iptables-1.4.21 and installed iptables-1.6.2.

I installed python 2.7.14 and python-iptables (master).

Same test script -

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@localhost ~]#
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]#
[root@localhost ~]# /usr/local/bin/python2.7 -V
Python 2.7.14
[root@localhost ~]#
[root@localhost ~]# iptables -v
iptables v1.6.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# bash iptables.minimal; /usr/local/bin/python2.7 showit4.py 4
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
Traceback (most recent call last):
  File "showit4.py", line 18, in <module>
    chain.insert_rule(rule, 1)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1473, in insert_rule
    self.table.insert_entry(self.name, rbuf, position)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1519, in new
    ret = fn(*args)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1756, in insert_entry
    (chain, self.strerror()))
iptc.ip4tc.IPTCError: can't insert entry into chain INPUT: Index of insertion too big
[root@localhost ~]#

[codecat555]

This is odd. There seems to point to some sort of interaction with sys.argv -

[root@localhost ~]# diff showit4.py showit5.py
13a14,15
> print "rule count: %d" % (len(chain.rules))
>
[root@localhost ~]# bash iptables.minimal ; /usr/local/bin/python2.7 showit5.py
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
rule count: 0
Traceback (most recent call last):
  File "showit5.py", line 20, in <module>
    chain.insert_rule(rule, 1)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1473, in insert_rule
    self.table.insert_entry(self.name, rbuf, position)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1519, in new
    ret = fn(*args)
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1756, in insert_entry
    (chain, self.strerror()))
iptc.ip4tc.IPTCError: can't insert entry into chain INPUT: Index of insertion too big
[root@localhost ~]#
[root@localhost ~]# diff showit5.py showit6.py
5c5
< if sys.argv[0] == 4:
---
> if True:
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# bash iptables.minimal ; /usr/local/bin/python2.7 showit6.py
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
rule count: 6
[root@localhost ~]#
[root@localhost ~]# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2       98  8988 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
3        2   104 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 46 packets, 5608 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]#

[ldx]

So one thing that is not supported is mixing iptables4 and iptables6 calls in the same process. Can you try moving all iptables6 calls into a separate script/process?

[codecat555]

Is that limitation (about mixing iptable4 and iptables6) specific to python-iptables, or is it something in libiptc?

I didn't know about that and have implemented a good bit of code which does act on both at the same time in the same process. Thing is, it all seems to work...except for this issue and I think I can work around that. I'm just wondering if I can expect to see other issues popping up if I don't go the multiprocessing route.

Anyways, I split the test script into two to separate iptables4 and iptables6. The iptables4 version seems to work ok, but the iptables6 result looks the same -

[root@localhost ~]# cat showit7.py

import sys
import iptc

table = iptc.Table6(iptc.Table6.FILTER, autocommit=False)

chain = iptc.Chain(table, 'INPUT')

table.refresh()

print "rule count: %d" % (len(chain.rules))

rule = iptc.Rule()
rule.protocol = 'ip'
rule.create_target('ACCEPT')

chain.insert_rule(rule, 1)

table.commit()

[root@localhost ~]# bash ip6tables.minimal ; /usr/local/bin/python2.7 showit7.py
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all      lo     any     anywhere             anywhere
2        0     0 ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
rule count: 6
Traceback (most recent call last):
  File "showit7.py", line 19, in <module>
    table.commit()
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1599, in commit
    raise IPTCError("can't commit: %s" % (self.strerror()))
iptc.ip4tc.IPTCError: can't commit: Invalid argument
[root@localhost ~]#

[ldx]

Is that limitation (about mixing iptable4 and iptables6) specific to python-iptables, or is it something in libiptc?

libiptc internal limitation. There might be workarounds to it, but I've never really bothered to explore.

Anyways, I split the test script into two to separate iptables4 and iptables6. The iptables4 version seems to work ok, but the iptables6 result looks the same -

Did you check the INPUT chain for iptables6 rules? It might be empty when you're trying to insert a rule at a specific index.

[codecat555]

Actually, my code does not manipulate the INPUT chain. I just used that in the example here because it simplified the picture.

I have verified the results of the operations I've implemented. I have higher-level add, insert, delete, and replace operations built on top of python-iptables. Each operation is executed on both ipv4 and ipv6 tables. The tests I've done are not comprehensive, but these basic operations seem to be working fine.

I hit the issue here in one method I have for resetting all the rules in my custom chain to a default state. It first calls flush() on the chain and then drops into an insert loop to create the default rule set. The debugger shows that this all works properly, it only fails when commit() is called. My workaround is to just call iptables-restore and ip6tables-restore instead.

Still wondering if I really need to pull in multiprocessing or not.

I'd like to understand the libiptc issue better, but I haven't found anything in my searches.

Apart from all that, isn't the behavior shown in the last example a bug we can try to fix?

[ldx]

Do you use a different script for your IPv6 tests? I can try to reproduce (I failed to repro with the original one at the beginning of this thread). We should certainly fix any kind of legit use case if the behavior is not correct.

[codecat555]

This is the IPv6 test/bug I was talking about -

[root@localhost ~]# cat showit7.py

import sys
import iptc

table = iptc.Table6(iptc.Table6.FILTER, autocommit=False)

chain = iptc.Chain(table, 'INPUT')

table.refresh()

print "rule count: %d" % (len(chain.rules))

rule = iptc.Rule()
rule.protocol = 'ip'
rule.create_target('ACCEPT')

chain.insert_rule(rule, 1)

table.commit()

[root@localhost ~]# bash ip6tables.minimal ; /usr/local/bin/python2.7 showit7.py
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all      lo     any     anywhere             anywhere
2        0     0 ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:ssh
4        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:http
5        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:https
6        0     0 ACCEPT     tcp      any    any     anywhere             anywhere             tcp dpt:ftp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
rule count: 6
Traceback (most recent call last):
  File "showit7.py", line 19, in <module>
    table.commit()
  File "/usr/local/lib/python2.7/site-packages/iptc/ip4tc.py", line 1599, in commit
    raise IPTCError("can't commit: %s" % (self.strerror()))
iptc.ip4tc.IPTCError: can't commit: Invalid argument
[root@localhost ~]#

[ldx]

Can you try changing the line

rule = iptc.Rule()

to

rule = iptc.Rule6()

and report back? Thanks!