ldx / python-iptables

Python bindings for iptables
730 stars 183 forks source link

incompatibility between python-iptables and uwsgi #231

Open wd16yuan opened 6 years ago

wd16yuan commented 6 years ago

env:

flask 0.12.1 uwsgi 2.0.17 python-iptables 0.12

part of the code:

table = iptc.Table(iptc.Table.FILTER) table.refresh() default_chain = iptc.Chain(table, 'INPUT') rule = iptc.Rule() rule.protocol = 'tcp' rule.target = iptc.Target(rule, 'LimitAudit_8010') match = iptc.Match(rule, 'tcp') match.dport = '8010' rule.add_match(match) default_chain.insert_rule(rule)

abnormal

request flask to add firewall exceptions

!!! uWSGI process 97232 got Segmentation Fault !!! backtrace of 97232 /usr/local/python27/bin/uwsgi(uwsgi_backtrace+0x29) [0x470689] /usr/local/python27/bin/uwsgi(uwsgi_segfault+0x21) [0x470811] /lib64/libc.so.6(+0x32660) [0x7f48dfe9d660] /lib64/libc.so.6(+0x81301) [0x7f48dfeec301] /lib64/libc.so.6(__strdup+0x16) [0x7f48dfeec016] /lib64/xtables/libxt_tcp.so(+0x1250) [0x7f48d1b3f250] /lib64/xtables/libxt_tcp.so(+0x15f7) [0x7f48d1b3f5f7] /usr/local/python27/lib/python2.7/site-packages/libxtwrapper.so(wrap_parse+0x51) [0x7f48d3f51ac1] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(ffi_call_unix64+0x4c) [0x7f48d4fcf33c] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(ffi_call+0x1f5) [0x7f48d4fcea95] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(_ctypes_callproc+0x3e6) [0x7f48d4fc6176] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(+0x9d33) [0x7f48d4fbdd33] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4c4a) [0x7f48e052ccda] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4145) [0x7f48e052c1d5] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5b97) [0x7f48e052dc27] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0x5a8af) [0x7f48e04908af] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb1535) [0x7f48e04e7535] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb1d8b) [0x7f48e04e7d8b] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_SetAttr+0x87) [0x7f48e04c9157] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x27f6) [0x7f48e052a886] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77858) [0x7f48e04ad858] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4145) [0x7f48e052c1d5] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0x5a8af) [0x7f48e04908af] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb49bc) [0x7f48e04ea9bc] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_CallObjectWithKeywords+0x43) [0x7f48e0527193] /usr/local/python27/bin/uwsgi(python_call+0x1f) [0x484acf] /usr/local/python27/bin/uwsgi(uwsgi_request_wsgi+0x132) [0x487072] /usr/local/python27/bin/uwsgi(wsgi_req_recv+0xa3) [0x422463] /usr/local/python27/bin/uwsgi(simple_loop_run+0xc5) [0x468515] /usr/local/python27/bin/uwsgi(simple_loop+0xe) [0x46860e] /usr/local/python27/bin/uwsgi(uwsgi_ignition+0x264) [0x4711d4] /usr/local/python27/bin/uwsgi(uwsgi_worker_run+0x350) [0x471580] /usr/local/python27/bin/uwsgi(uwsgi_run+0x4be) [0x471abe] /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f48dfe89d1d] /usr/local/python27/bin/uwsgi() [0x41ee69] end of backtrace

excuse me, can solve it?

ldx commented 6 years ago

Hey,

the code snippet you pasted works for me (without uwsgi, after creating the chain LimitAudit_8010).

Can you tell me:

Thanks!

wd16yuan commented 6 years ago

@ldx sorry, forget to paste the complete code.

complete code:

table = iptc.Table(iptc.Table.FILTER) table.refresh() if not table.is_chain('LimitAudit_8010'): table.create_chain('LimitAudit_8010') default_chain = iptc.Chain(table, 'INPUT') rule = iptc.Rule() rule.protocol = 'tcp' rule.target = iptc.Target(rule, 'LimitAudit_8010') match = iptc.Match(rule, 'tcp') match.dport = '8010' rule.add_match(match) default_chain.insert_rule(rule)

env:

python version 2.7.9 iptables version v1.4.7 python-iptables version 0.12.0 (it is installed through pip)

problem description:

execution to " match.dport = '8010' " abnormality.

abnormal:

!!! uWSGI process 97232 got Segmentation Fault !!! backtrace of 97232 /usr/local/python27/bin/uwsgi(uwsgi_backtrace+0x29) [0x470689] /usr/local/python27/bin/uwsgi(uwsgi_segfault+0x21) [0x470811] /lib64/libc.so.6(+0x32660) [0x7f48dfe9d660] /lib64/libc.so.6(+0x81301) [0x7f48dfeec301] /lib64/libc.so.6(__strdup+0x16) [0x7f48dfeec016] /lib64/xtables/libxt_tcp.so(+0x1250) [0x7f48d1b3f250] /lib64/xtables/libxt_tcp.so(+0x15f7) [0x7f48d1b3f5f7] /usr/local/python27/lib/python2.7/site-packages/libxtwrapper.so(wrap_parse+0x51) [0x7f48d3f51ac1] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(ffi_call_unix64+0x4c) [0x7f48d4fcf33c] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(ffi_call+0x1f5) [0x7f48d4fcea95] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(_ctypes_callproc+0x3e6) [0x7f48d4fc6176] /usr/local/python27/lib/python2.7/lib-dynload/_ctypes.so(+0x9d33) [0x7f48d4fbdd33] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4c4a) [0x7f48e052ccda] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4145) [0x7f48e052c1d5] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5b97) [0x7f48e052dc27] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0x5a8af) [0x7f48e04908af] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb1535) [0x7f48e04e7535] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb1d8b) [0x7f48e04e7d8b] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_SetAttr+0x87) [0x7f48e04c9157] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x27f6) [0x7f48e052a886] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77858) [0x7f48e04ad858] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x4145) [0x7f48e052c1d5] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x5eeb) [0x7f48e052df7b] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x88e) [0x7f48e052f5ee] /usr/local/python27/lib/libpython2.7.so.1.0(+0x77751) [0x7f48e04ad751] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0x5a8af) [0x7f48e04908af] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(+0xb49bc) [0x7f48e04ea9bc] /usr/local/python27/lib/libpython2.7.so.1.0(PyObject_Call+0x53) [0x7f48e047e273] /usr/local/python27/lib/libpython2.7.so.1.0(PyEval_CallObjectWithKeywords+0x43) [0x7f48e0527193] /usr/local/python27/bin/uwsgi(python_call+0x1f) [0x484acf] /usr/local/python27/bin/uwsgi(uwsgi_request_wsgi+0x132) [0x487072] /usr/local/python27/bin/uwsgi(wsgi_req_recv+0xa3) [0x422463] /usr/local/python27/bin/uwsgi(simple_loop_run+0xc5) [0x468515] /usr/local/python27/bin/uwsgi(simple_loop+0xe) [0x46860e] /usr/local/python27/bin/uwsgi(uwsgi_ignition+0x264) [0x4711d4] /usr/local/python27/bin/uwsgi(uwsgi_worker_run+0x350) [0x471580] /usr/local/python27/bin/uwsgi(uwsgi_run+0x4be) [0x471abe] /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f48dfe89d1d] /usr/local/python27/bin/uwsgi() [0x41ee69] end of backtrace

wd16yuan commented 6 years ago

@ldx if i cancel all "iptc.match" settings, uWSGI will not be abnormal.

pavelsly commented 6 years ago

I have same problem. Can solve it?

nassimabedi commented 6 years ago

I have the same problem it doesn't work with uwsgi but works correctly in develop mode.

  match2.set_parameter('comment', 'this is a test comment')
  File "/env/lib/python2.7/site-packages/iptc/ip4tc.py", line 285, in set_parameter
    return self.parse(parameter.replace("_", "-"), value)
  File "/env/lib/python2.7/site-packages/iptc/ip4tc.py", line 332, in parse
    self._parse(argv, inv, entry)
  File "env/lib/python2.7/site-packages/iptc/ip4tc.py", line 600, in _parse
    self._orig_parse, self._orig_options)
  File "env/lib/python2.7/site-packages/iptc/xtables.py", line 872, in new
    return fn(*args)
  File "env/lib/python2.7/site-packages/iptc/xtables.py", line 1171, in parse_match
    m.name, len(argv) > 1 and argv[1] or "", rv))
nassimabedi commented 6 years ago

in my case problem is with uwsgi and it works correctly with gunicorn

gmurdocca commented 2 years ago

I hit the above described issue with uWSGI exiting with SEGV when using iptc. Thanks to @nassimabedi I also observed that replacing uWSGI with Gunicorn solved the issue.

For anyone else needing a solution:

If starting Gunicorn using systemd, adding the following line to the documented unit file example under the[Service] block will add the requisite linux capabilities (cap_net_raw and cap_net_admin) to the Gunicorn processes that allow iptc to work as a low-privileged user (not root).

AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW