Nftables Kernel Panic on 6.18.14-1 & 6.19.4-1 after 2026-02-26 update

Support Kernel
1

After these kernel updates were pushed out, nftables.service loading firewall rules causes a kernel panic, system instability, and eventual blue screen crash:

Oops: general protection fault, probably for non-canonical address 0x30f46bf11be51122: 0000 [#1] SMP PTI
CPU: 5 UID: 0 PID: 37496 Comm: nft Tainted: G     U              6.19.4-1-MANJARO #1 PREEMPT(full)  861243b5710c270c8bbd911a49416f4ae2af20b6
Tainted: [U]=USER
Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F23i 03/09/2018
RIP: 0010:__kmalloc_noprof+0x47c/0x6a0
Code: 1a 02 00 00 48 8b 31 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 00 48 85 ff 74 83 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 04 07 48 8d 0c 38 4d 33 84 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead2a772e0 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffffcfead2a77456 RCX: fffff48ac43045c0
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead2a77340 R08: ffffcfead2a77580 R09: 000000000000003c
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8d9500044e00
R13: 000000000000003c R14: 0000000000400dc0 R15: ffffffffc2b00ab2
FS:  00007f80c2cc0c40(0000) GS:ffff8da4a0618000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f0e5f97a8 CR3: 000000019f026001 CR4: 00000000003706f0
Call Trace:
 <TASK>
 ? nft_set_elem_init+0x52/0x1f0 [nf_tables 200f4a92e165c2b1ddbbf512989046628ff81f11]
 ? nft_data_init+0xc8/0x2a0 [nf_tables 200f4a92e165c2b1ddbbf512989046628ff81f11]
 nft_set_elem_init+0x52/0x1f0 [nf_tables 200f4a92e165c2b1ddbbf512989046628ff81f11]
 nft_add_set_elem+0xc54/0x15f0 [nf_tables 200f4a92e165c2b1ddbbf512989046628ff81f11]
 ? refill_obj_stock+0x12e/0x240
 nf_tables_newsetelem+0x1bc/0x290 [nf_tables 200f4a92e165c2b1ddbbf512989046628ff81f11]
 nfnetlink_rcv_batch+0x439/0x6b0 [nfnetlink d4081e3fdc926622491997ed88b675ec68cc7f38]
 nfnetlink_rcv+0x195/0x1c0 [nfnetlink d4081e3fdc926622491997ed88b675ec68cc7f38]
 netlink_unicast+0x288/0x3c0
 netlink_sendmsg+0x20d/0x430
 ____sys_sendmsg+0x388/0x3c0
 ? import_iovec+0x2f/0x40
 ___sys_sendmsg+0x99/0xe0
 __sys_sendmsg+0x8a/0xf0
 do_syscall_64+0x81/0x610
 ? do_sock_getsockopt+0x1c1/0x200
 ? __sys_getsockopt+0x7e/0xd0
 ? __x64_sys_getsockopt+0x1f/0x30
 ? do_syscall_64+0x81/0x610
 ? do_anonymous_page+0xfb/0x820
 ? ___pte_offset_map+0x1b/0x100
 ? __handle_mm_fault+0xb46/0xf60
 ? count_memcg_events+0xc2/0x170
 ? handle_mm_fault+0x1d7/0x2d0
 ? do_user_addr_fault+0x21a/0x690
 ? exc_page_fault+0x7e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f80c2ec33be
Code: 4d 89 d8 e8 64 bb 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 03 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007ffdf86fc970 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000056091ee0bb70 RCX: 00007f80c2ec33be
RDX: 0000000000000000 RSI: 00007ffdf870db20 RDI: 0000000000000003
RBP: 00007ffdf86fc980 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000062c00
R13: 00007ffdf86fc9d0 R14: 0000000000011014 R15: 00007ffdf870dd80
 </TASK>
Modules linked in: nft_reject_inet nft_limit cfg80211 snd_seq_dummy snd_hrtimer snd_seq nft_masq nft_ct nft_reject_ipv6 nf_reject_ipv6 nft_reject_ipv4 nf_reject_ipv4 nft_reject act_csum cls_u32 sch_htb nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs overlay rpcrdma rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xt_comment nft_compat x_tables nf_tables rfkill nfnetlink_log si2157 lgdt3306a vfat intel_rapl_msr fat ee1004 iTCO_wdt mei_pxp intel_pmc_bxt mei_hdcp cx25840 iTCO_vendor_support intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common cx23885 raid456 altera_ci intel_tcc_cooling tda18271 async_raid6_recov altera_stapl async_memcpy x86_pkg_temp_thermal m88ds3103 async_pq intel_powerclamp async_xor cx2341x coretemp snd_hda_codec_intelhdmi async_tx tveeprom videobuf2_dvb snd_soc_avs kvm_intel snd_soc_hda_codec dvb_core videobuf2_vmalloc snd_hda_codec_alc882 snd_hda_ext_core
 snd_hda_codec_realtek_lib rapl videobuf2_dma_sg intel_cstate snd_usb_audio snd_hda_codec_generic snd_hda_codec_atihdmi videobuf2_memops snd_soc_core intel_uncore videobuf2_v4l2 snd_compress intel_wmi_thunderbolt snd_hda_codec_hdmi mxm_wmi pcspkr ac97_bus i2c_i801 snd_usbmidi_lib e1000e videobuf2_common snd_hda_intel snd_pcm_dmaengine snd_ump i2c_smbus videodev snd_rawmidi i2c_mux snd_hda_codec igb mei_me snd_seq_device ftdi_sio ixgbe snd_hda_core mei mc cdc_acm nfsd libie_fwlog snd_intel_dspcfg mdio_devres snd_intel_sdw_acpi xpad auth_rpcgss libphy snd_hwdep ff_memless nfs_acl mdio_bus snd_pcm mdio lockd snd_timer ptp snd grace pps_core soundcore nfs_localio dca raid1 intel_pmc_core pmt_telemetry sunrpc pmt_discovery intel_oc_wdt pmt_class intel_pmc_ssram_telemetry acpi_pad intel_vsec md_mod joydev mousedev mac_hid kvmgt vfio_pci vfio_pci_core kvm vfio_iommu_type1 vfio dm_mod uinput iommufd nbd irqbypass sg mdev i2c_dev crypto_user nfnetlink amdgpu i915 nvme amdxcp sr_mod drm_ttm_helper nvme_core drm_exec
 cdrom drm_panel_backlight_quirks hid_logitech_hidpp intel_gtt nvme_keyring gpu_sched i2c_algo_bit ata_generic nvme_auth drm_suballoc_helper ttm ghash_clmulni_intel pata_acpi aesni_intel hkdf uas drm_buddy pata_jmicron usb_storage drm_display_helper cec video wmi hid_logitech_dj serio_raw
---[ end trace 0000000000000000 ]---
Then later more alloc_fdtable stacktraces & system lockup / blue screen kernel panic crash 
RIP: 0010:__kmalloc_noprof+0x47c/0x6a0
Oops: general protection fault, probably for non-canonical address 0x30f46bf11be51122: 0000 [#2] SMP PTI
Code: 1a 02 00 00 48 8b 31 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 00 48 85 ff 74 83 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 04 07 48 8d 0c 38 4d 33 84 24 c0 00 00 00 48 89 f8 48 0f c9
CPU: 5 UID: 1000 PID: 3674 Comm: sh Tainted: G     UD             6.19.4-1-MANJARO #1 PREEMPT(full)  861243b5710c270c8bbd911a49416f4ae2af20b6
Tainted: [U]=USER, [D]=DIE
Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F23i 03/09/2018
RIP: 0010:__kmalloc_cache_noprof+0x409/0x5b0
Code: c2 66 41 f7 44 24 10 04 02 0f 45 c2 e9 58 fd ff ff 48 85 ff 74 a5 48 85 c9 74 a0 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 1c 07 48 8d 0c 38 4d 33 9c 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead3f2bb20 EFLAGS: 00010246
RSP: 0018:ffffcfead2a772e0 EFLAGS: 00010246

RAX: 0000000000000020 RBX: ffff8d956ffc0b00 RCX: fffff48ac43045c0
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead3f2bb90 R08: 0000000000000038 R09: ffffffffbaf74205
R10: 00000000ffffffff R11: ffff8d95551e1180 R12: ffff8d9500044e00
R13: 0000000000000038 R14: 0000000000400cc0 R15: 0000000000000000
FS:  00007f172de08b80(0000) GS:ffff8da4a0618000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a011f279d8 CR3: 0000000105e40006 CR4: 00000000003706f0

Call Trace:
 <TASK>
 ? alloc_fdtable+0x55/0x140
RAX: 0000000000000020 RBX: ffffcfead2a77456 RCX: fffff48ac43045c0
 ? alloc_fdtable+0x55/0x140
 alloc_fdtable+0x55/0x140
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
 dup_fd+0x334/0x3a0
RBP: ffffcfead2a77340 R08: ffffcfead2a77580 R09: 000000000000003c
 ? lsm_blob_alloc+0x33/0x50
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8d9500044e00
 copy_process+0x102a/0x1d00
 kernel_clone+0xbc/0x4a0
R13: 000000000000003c R14: 0000000000400dc0 R15: ffffffffc2b00ab2
 ? kmem_cache_alloc_noprof+0x156/0x5e0
FS:  00007f80c2cc0c40(0000) GS:ffff8da4a05d8000(0000) knlGS:0000000000000000
 __do_sys_clone+0x65/0x90
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 do_syscall_64+0x81/0x610
CR2: 00007fe4a802f4b6 CR3: 000000019f026005 CR4: 00000000003706f0
 ? _copy_to_user+0x31/0x40
 ? do_pipe2+0xcc/0x110
 ? __x64_sys_pipe2+0x18/0x20
 ? do_syscall_64+0x81/0x610
 ? _copy_to_user+0x31/0x40
 ? _copy_from_user+0x27/0x60
 ? _copy_to_user+0x31/0x40
 ? __x64_sys_rt_sigprocmask+0xfe/0x160
 ? do_syscall_64+0x81/0x610
 ? irqtime_account_irq+0x3c/0xc0
 ? handle_softirqs+0x192/0x2a0
 ? __irq_exit_rcu+0x4c/0xf0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f172df5f888
Code: 7d e0 e8 ab aa f5 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 60 41 89 c4 85 c0 75 31 64 48 8b 04 25 10 00
RSP: 002b:00007ffe2e213ac0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f172df5f888
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffe2e213ae0 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f172de08e50 R11: 0000000000000246 R12: 000055a011f2ba80
R13: 0000000000000004 R14: 0000000000000000 R15: 00007ffe2e213cf0
 </TASK>
Modules linked in: nft_reject_inet nft_limit cfg80211 snd_seq_dummy snd_hrtimer snd_seq nft_masq nft_ct nft_reject_ipv6 nf_reject_ipv6 nft_reject_ipv4 nf_reject_ipv4 nft_reject act_csum cls_u32 sch_htb nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs overlay rpcrdma rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xt_comment nft_compat x_tables nf_tables rfkill nfnetlink_log si2157 lgdt3306a vfat intel_rapl_msr fat ee1004 iTCO_wdt mei_pxp intel_pmc_bxt mei_hdcp cx25840 iTCO_vendor_support intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common cx23885 raid456 altera_ci intel_tcc_cooling tda18271 async_raid6_recov altera_stapl async_memcpy x86_pkg_temp_thermal m88ds3103 async_pq intel_powerclamp async_xor cx2341x coretemp snd_hda_codec_intelhdmi async_tx tveeprom videobuf2_dvb snd_soc_avs kvm_intel snd_soc_hda_codec dvb_core videobuf2_vmalloc snd_hda_codec_alc882 snd_hda_ext_core
 snd_hda_codec_realtek_lib rapl videobuf2_dma_sg intel_cstate snd_usb_audio snd_hda_codec_generic snd_hda_codec_atihdmi videobuf2_memops snd_soc_core intel_uncore videobuf2_v4l2 snd_compress intel_wmi_thunderbolt snd_hda_codec_hdmi mxm_wmi pcspkr ac97_bus i2c_i801 snd_usbmidi_lib e1000e videobuf2_common snd_hda_intel snd_pcm_dmaengine snd_ump i2c_smbus videodev snd_rawmidi i2c_mux snd_hda_codec igb mei_me snd_seq_device ftdi_sio ixgbe snd_hda_core mei mc cdc_acm nfsd libie_fwlog snd_intel_dspcfg mdio_devres snd_intel_sdw_acpi xpad auth_rpcgss libphy snd_hwdep ff_memless nfs_acl mdio_bus snd_pcm mdio lockd snd_timer ptp snd grace pps_core soundcore nfs_localio dca raid1 intel_pmc_core pmt_telemetry sunrpc pmt_discovery intel_oc_wdt pmt_class intel_pmc_ssram_telemetry acpi_pad intel_vsec md_mod joydev mousedev mac_hid kvmgt vfio_pci vfio_pci_core kvm vfio_iommu_type1 vfio dm_mod uinput iommufd nbd irqbypass sg mdev i2c_dev crypto_user nfnetlink amdgpu i915 nvme amdxcp sr_mod drm_ttm_helper nvme_core drm_exec
 cdrom drm_panel_backlight_quirks hid_logitech_hidpp intel_gtt nvme_keyring gpu_sched i2c_algo_bit ata_generic nvme_auth drm_suballoc_helper ttm ghash_clmulni_intel pata_acpi aesni_intel hkdf uas drm_buddy pata_jmicron usb_storage drm_display_helper cec video wmi hid_logitech_dj serio_raw
---[ end trace 0000000000000000 ]---
RIP: 0010:__kmalloc_noprof+0x47c/0x6a0
Code: 1a 02 00 00 48 8b 31 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 00 48 85 ff 74 83 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 04 07 48 8d 0c 38 4d 33 84 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead2a772e0 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffffcfead2a77456 RCX: fffff48ac43045c0
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead2a77340 R08: ffffcfead2a77580 R09: 000000000000003c
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8d9500044e00
R13: 000000000000003c R14: 0000000000400dc0 R15: ffffffffc2b00ab2
FS:  00007f172de08b80(0000) GS:ffff8da4a0558000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92f636a010 CR3: 0000000105e40004 CR4: 00000000003706f0

Oops: general protection fault, probably for non-canonical address 0x30f46bf11be51122: 0000 [#3] SMP PTI
CPU: 5 UID: 1000 PID: 3544 Comm: waybar Tainted: G     UD             6.19.4-1-MANJARO #1 PREEMPT(full)  861243b5710c270c8bbd911a49416f4ae2af20b6
Tainted: [U]=USER, [D]=DIE
Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F23i 03/09/2018
RIP: 0010:__kmalloc_cache_noprof+0x409/0x5b0
Code: c2 66 41 f7 44 24 10 04 02 0f 45 c2 e9 58 fd ff ff 48 85 ff 74 a5 48 85 c9 74 a0 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 1c 07 48 8d 0c 38 4d 33 9c 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead38a3bf0 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffff8d955af4cdc0 RCX: fffff48ac43045c0
RDX: 0000000001b92005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead38a3c60 R08: 0000000000000038 R09: ffffffffbaf74205
R10: 00000000ffffffff R11: ffff8d95551e1180 R12: ffff8d9500044e00
R13: 0000000000000038 R14: 0000000000400cc0 R15: 0000000000000000
FS:  00007fe54affd6c0(0000) GS:ffff8da4a0618000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe49c001080 CR3: 0000000113956004 CR4: 00000000003706f0
Call Trace:
 <TASK>
 ? alloc_fdtable+0x55/0x140
 ? alloc_fdtable+0x55/0x140
 alloc_fdtable+0x55/0x140
 dup_fd+0x334/0x3a0
 ? lsm_blob_alloc+0x33/0x50
 copy_process+0x102a/0x1d00
 kernel_clone+0xbc/0x4a0
 __do_sys_clone+0x65/0x90
 do_syscall_64+0x81/0x610
 ? do_user_addr_fault+0x21a/0x690
 ? exc_page_fault+0x7e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fe5949d5888
Code: 7d e0 e8 ab aa f5 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 60 41 89 c4 85 c0 75 31 64 48 8b 04 25 10 00
RSP: 002b:00007fe54affc610 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5949d5888
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fe54affc630 R08: 0000000000000000 R09: 0000000000073c7e
R10: 00007fe54affd990 R11: 0000000000000246 R12: 00007fe54affc8c0
R13: 00007ffd82c23ca0 R14: 0000000000000001 R15: 00007ffd82c23da7
 </TASK>
Modules linked in: nft_reject_inet nft_limit cfg80211 snd_seq_dummy snd_hrtimer snd_seq nft_masq nft_ct nft_reject_ipv6 nf_reject_ipv6 nft_reject_ipv4 nf_reject_ipv4 nft_reject act_csum cls_u32 sch_htb nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs overlay rpcrdma rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xt_comment nft_compat x_tables nf_tables rfkill nfnetlink_log si2157 lgdt3306a vfat intel_rapl_msr fat ee1004 iTCO_wdt mei_pxp intel_pmc_bxt mei_hdcp cx25840 iTCO_vendor_support intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common cx23885 raid456 altera_ci intel_tcc_cooling tda18271 async_raid6_recov altera_stapl async_memcpy x86_pkg_temp_thermal m88ds3103 async_pq intel_powerclamp async_xor cx2341x coretemp snd_hda_codec_intelhdmi async_tx tveeprom videobuf2_dvb snd_soc_avs kvm_intel snd_soc_hda_codec dvb_core videobuf2_vmalloc snd_hda_codec_alc882 snd_hda_ext_core
 snd_hda_codec_realtek_lib rapl videobuf2_dma_sg intel_cstate snd_usb_audio snd_hda_codec_generic snd_hda_codec_atihdmi videobuf2_memops snd_soc_core intel_uncore videobuf2_v4l2 snd_compress intel_wmi_thunderbolt snd_hda_codec_hdmi mxm_wmi pcspkr ac97_bus i2c_i801 snd_usbmidi_lib e1000e videobuf2_common snd_hda_intel snd_pcm_dmaengine snd_ump i2c_smbus videodev snd_rawmidi i2c_mux snd_hda_codec igb mei_me snd_seq_device ftdi_sio ixgbe snd_hda_core mei mc cdc_acm nfsd libie_fwlog snd_intel_dspcfg mdio_devres snd_intel_sdw_acpi xpad auth_rpcgss libphy snd_hwdep ff_memless nfs_acl mdio_bus snd_pcm mdio lockd snd_timer ptp snd grace pps_core soundcore nfs_localio dca raid1 intel_pmc_core pmt_telemetry sunrpc pmt_discovery intel_oc_wdt pmt_class intel_pmc_ssram_telemetry acpi_pad intel_vsec md_mod joydev mousedev mac_hid kvmgt vfio_pci vfio_pci_core kvm vfio_iommu_type1 vfio dm_mod uinput iommufd nbd irqbypass sg mdev i2c_dev crypto_user nfnetlink amdgpu i915 nvme amdxcp sr_mod drm_ttm_helper nvme_core drm_exec
 cdrom drm_panel_backlight_quirks hid_logitech_hidpp intel_gtt nvme_keyring gpu_sched i2c_algo_bit ata_generic nvme_auth drm_suballoc_helper ttm ghash_clmulni_intel pata_acpi aesni_intel hkdf uas drm_buddy pata_jmicron usb_storage drm_display_helper cec video wmi hid_logitech_dj serio_raw
---[ end trace 0000000000000000 ]---

RIP: 0010:__kmalloc_noprof+0x47c/0x6a0
Code: 1a 02 00 00 48 8b 31 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 00 48 85 ff 74 83 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 04 07 48 8d 0c 38 4d 33 84 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead2a772e0 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffffcfead2a77456 RCX: fffff48ac43045c0
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead2a77340 R08: ffffcfead2a77580 R09: 000000000000003c
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8d9500044e00
R13: 000000000000003c R14: 0000000000400dc0 R15: ffffffffc2b00ab2
FS:  00007fe54affd6c0(0000) GS:ffff8da4a0618000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe49c001080 CR3: 0000000113956004 CR4: 00000000003706f0

Oops: general protection fault, probably for non-canonical address 0x30f46bf11be51122: 0000 [#4] SMP PTI
CPU: 5 UID: 1000 PID: 37594 Comm: sh Tainted: G     UD             6.19.4-1-MANJARO #1 PREEMPT(full)  861243b5710c270c8bbd911a49416f4ae2af20b6
Tainted: [U]=USER, [D]=DIE
Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F23i 03/09/2018
RIP: 0010:__kmalloc_cache_noprof+0x409/0x5b0
Code: c2 66 41 f7 44 24 10 04 02 0f 45 c2 e9 58 fd ff ff 48 85 ff 74 a5 48 85 c9 74 a0 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 1c 07 48 8d 0c 38 4d 33 9c 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead2ccbb60 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffff8d956ffc0580 RCX: fffff48ac43045c0
RDX: 0000000001b92005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead2ccbbd0 R08: 0000000000000038 R09: ffffffffbaf74205
R10: 00000000ffffffff R11: ffff8d95551e1180 R12: ffff8d9500044e00
R13: 0000000000000038 R14: 0000000000400cc0 R15: 0000000000000000
FS:  00007f10db32cb80(0000) GS:ffff8da4a0618000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558feed599d8 CR3: 00000001da40c004 CR4: 00000000003706f0
Call Trace:
 <TASK>
 ? alloc_fdtable+0x55/0x140
 ? alloc_fdtable+0x55/0x140
 alloc_fdtable+0x55/0x140
 dup_fd+0x334/0x3a0
 ? lsm_blob_alloc+0x33/0x50
 copy_process+0x102a/0x1d00
 kernel_clone+0xbc/0x4a0
 ? __x64_sys_rt_sigprocmask+0xfe/0x160
 __do_sys_clone+0x65/0x90
 do_syscall_64+0x81/0x610
 ? count_memcg_events+0xc2/0x170
 ? handle_mm_fault+0x1d7/0x2d0
 ? do_user_addr_fault+0x21a/0x690
 ? exc_page_fault+0x7e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f10db483888
Code: 7d e0 e8 ab aa f5 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 60 41 89 c4 85 c0 75 31 64 48 8b 04 25 10 00
RSP: 002b:00007ffdf12f0610 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f10db483888
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffdf12f0630 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f10db32ce50 R11: 0000000000000246 R12: 0000558feed63480
R13: 0000000000000003 R14: 0000000000000000 R15: 00007ffdf12f0840
 </TASK>
Modules linked in: nft_reject_inet nft_limit cfg80211 snd_seq_dummy snd_hrtimer snd_seq nft_masq nft_ct nft_reject_ipv6 nf_reject_ipv6 nft_reject_ipv4 nf_reject_ipv4 nft_reject act_csum cls_u32 sch_htb nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs overlay rpcrdma rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xt_comment nft_compat x_tables nf_tables rfkill nfnetlink_log si2157 lgdt3306a vfat intel_rapl_msr fat ee1004 iTCO_wdt mei_pxp intel_pmc_bxt mei_hdcp cx25840 iTCO_vendor_support intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common cx23885 raid456 altera_ci intel_tcc_cooling tda18271 async_raid6_recov altera_stapl async_memcpy x86_pkg_temp_thermal m88ds3103 async_pq intel_powerclamp async_xor cx2341x coretemp snd_hda_codec_intelhdmi async_tx tveeprom videobuf2_dvb snd_soc_avs kvm_intel snd_soc_hda_codec dvb_core videobuf2_vmalloc snd_hda_codec_alc882 snd_hda_ext_core
 snd_hda_codec_realtek_lib rapl videobuf2_dma_sg intel_cstate snd_usb_audio snd_hda_codec_generic snd_hda_codec_atihdmi videobuf2_memops snd_soc_core intel_uncore videobuf2_v4l2 snd_compress intel_wmi_thunderbolt snd_hda_codec_hdmi mxm_wmi pcspkr ac97_bus i2c_i801 snd_usbmidi_lib e1000e videobuf2_common snd_hda_intel snd_pcm_dmaengine snd_ump i2c_smbus videodev snd_rawmidi i2c_mux snd_hda_codec igb mei_me snd_seq_device ftdi_sio ixgbe snd_hda_core mei mc cdc_acm nfsd libie_fwlog snd_intel_dspcfg mdio_devres snd_intel_sdw_acpi xpad auth_rpcgss libphy snd_hwdep ff_memless nfs_acl mdio_bus snd_pcm mdio lockd snd_timer ptp snd grace pps_core soundcore nfs_localio dca raid1 intel_pmc_core pmt_telemetry sunrpc pmt_discovery intel_oc_wdt pmt_class intel_pmc_ssram_telemetry acpi_pad intel_vsec md_mod joydev mousedev mac_hid kvmgt vfio_pci vfio_pci_core kvm vfio_iommu_type1 vfio dm_mod uinput iommufd nbd irqbypass sg mdev i2c_dev crypto_user nfnetlink amdgpu i915 nvme amdxcp sr_mod drm_ttm_helper nvme_core drm_exec
 cdrom drm_panel_backlight_quirks hid_logitech_hidpp intel_gtt nvme_keyring gpu_sched i2c_algo_bit ata_generic nvme_auth drm_suballoc_helper ttm ghash_clmulni_intel pata_acpi aesni_intel hkdf uas drm_buddy pata_jmicron usb_storage drm_display_helper cec video wmi hid_logitech_dj serio_raw
---[ end trace 0000000000000000 ]---
RIP: 0010:__kmalloc_noprof+0x47c/0x6a0
Code: 1a 02 00 00 48 8b 31 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 00 48 85 ff 74 83 41 ba ff ff ff ff 41 8b 44 24 30 49 8b 34 24 <4c> 8b 04 07 48 8d 0c 38 4d 33 84 24 c0 00 00 00 48 89 f8 48 0f c9
RSP: 0018:ffffcfead2a772e0 EFLAGS: 00010246
RAX: 0000000000000020 RBX: ffffcfead2a77456 RCX: fffff48ac43045c0
RDX: 0000000001b7e005 RSI: ffffffffbd9608a0 RDI: 30f46bf11be51102
RBP: ffffcfead2a77340 R08: ffffcfead2a77580 R09: 000000000000003c
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8d9500044e00
R13: 000000000000003c R14: 0000000000400dc0 R15: ffffffffc2b00ab2
FS:  00007f10db32cb80(0000) GS:ffff8da4a0518000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5305f6f8cc CR3: 00000001da40c001 CR4: 00000000003706f0


[ 10.5142331] CRZ: 0000000000000004

[ 10.514234] ---[ end trace 0000000000000000 ]---
[ 10.514236] RIP: 0010: __kvmalloc_node_noprof+0x608/0x8a0
[ 10.514239] 
Code: 48 c1 ee 36 48 0f a3 70 08 0f 83 c3 01 00 48 85 ff 0f 84 9d fe ff ff 41 ba ff ff ff ff 41 8b 45 30 49 8b 75 00 48 8d 0c 38 <48> 8b 04 07 49 33 85 c0 00 00 00 48 0f c9 48 31 c8 48 8d 8a 00 00
[ 10.514240] RSP: 0018: ffffd17200b03450 EFLAGS: 00010246
[ 10.514242] RAX: 0000000000000020 RBX: ffff8ba101497b70 RCX: 77de209325fe5e7e
[ 10.514243] RDX: 0000000000280006 RSI: ffffffff9114a8a0 RDI: 77de209325fe5e7e
[ 10.514244] RBP: ffffd17200b034d0 R08: 0000000000000030 R09: 0000000000400cc0
[ 10.514244] R10: 00000000ffffffff R11: ffff8ba1202adf00 R12: 0000000000000030
[ 10.514245] R13: ffff8ba100044e00 R14: 00000000ffffffff R15: 0000000000400cc0
[ 10.514246] FS:  0000000000000000(0000) GS: ffff8bb0ce06d000(0000) knlGS:0000000000000000
[ 10.514247] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 10.514248] CR2: ffffffffffffffda CR3: 000000037e624003 CR4: 00000000003706f0
[ 10.514249] Kernel panic - not syncing: fatal exception in interrupt
[ 10.514261] Kernel Offset: 0xd000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[Unstable Update] February 2026
2

you need version 6.19.5 ,
can your re-boot on another kernel ?

1 Like
3

Should be fixed in 6.19.5

4

Yes. Although the workaround was to add systemd.unit=rescue.target to kernel cmdline, then disable nftables.service from rescue shell:

systemctl disable nftables.service

This allowed for boot to proceed further. There was also another boot hang problem encountered which was caused by mdadm being broken for this update. Workaround for that was to comment out any /etc/fstab mount lines for /dev/md* (or other RAID partition UUIDs). RAID is now working again on 6.19.4, whereas it was non-operational on 6.18.14 [1] (no /proc/mdstat existed). That seems fixed after switching to 6.19.5-1 with mdadm 4.5-2 [2]

I’ll try upgrading to 6.19.5-1 now and reboot + run sudo systemctl start nftables.service to test.

  1. Upstream Arch Linux folks were reporting mdadm 4.5-1 as causing this (perhaps mismatch between kernel + mdadm API versions). Seems to have been fixed in mdadm 4.5-2 β†©οΈŽ

  2. I did not test mdadm 4.5-2 with kernel 6.18.14, as the nftables bug caused instability & 6.19.5 is more stable. β†©οΈŽ

2 Likes
5

I can confirm that kernel panic + segfaults have been resolved in 6.19.5-1! That’s a marked improvement, for sure. :grinning_face_with_smiling_eyes:

However, now there seems to be some syntax or rule load changes causing issues. I’ll dig into these next. Maybe some ipv6 range syntax support has changed? :thinking: Or perhaps it’s a separate issue in aur/nftables-geoip-db.

Expand for nft_geoip rule errors 
Job for nftables.service failed because the control process exited with error code.
See "systemctl status nftables.service" and "journalctl -xeu nftables.service" for details.
Γ— nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Sat 2026-02-28 09:53:40 MST; 7ms ago
 Invocation: ee86a2ca8c5d403cb96e3f7285ff550b
       Docs: man:nft(8)
    Process: 93162 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
   Main PID: 93162 (code=exited, status=1/FAILURE)
   Mem peak: 107.3M
        CPU: 626ms

Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:29668:5-57: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a04:de40:c0::-2a04:de40:17f:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Failed with result 'exit-code'.
Feb 28 09:53:40 examplehost.internal systemd[1]: Failed to start Netfilter Tables.
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Consumed 626ms CPU time over 642ms wall clock time, 107.3M memory peak.
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:14323:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2406:daf3:8900::-2406:daf3:8fff:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:15346:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2408:8656:30ff::-2408:8656:30ff:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:16369:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2600:1904:6400::-2600:1904:64ff:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:17392:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2600:70ff:a877::-2600:70ff:a878:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:18415:5-55: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2602:f54e:4::-2602:f54e:10:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:19438:5-55: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2602:ff84:d::-2602:ff84:10:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:20461:5-56: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2605:6400:40::-2605:6400:40:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:21484:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2606:2e00:cce5::-2606:2e00:cce5:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:22507:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2607:8940:2958::-2607:8940:2959:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:23530:5-54: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2620:15c:7c::-2620:15c:7c:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:24553:5-58: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a01:3e1:f580::-2a01:3e1:f58f:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:25576:5-58: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a01:3e4:4a30::-2a01:3e4:4a4f:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:26599:5-58: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a01:3e7:7bc0::-2a01:3e7:7bcf:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:27622:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a01:ce95:f95c::-2a01:ce95:f963:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:28645:5-60: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a02:26f7:e38d::-2a02:26f7:e3bf:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal nft[93162]: In file included from /etc/nftables.d/geoip/IN.update.nft:17:1-39:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.d/05-geoip.nft:5:1-38:
Feb 28 09:53:40 examplehost.internal nft[93162]:                  from /etc/nftables.conf:95:1-32:
Feb 28 09:53:40 examplehost.internal nft[93162]: /usr/share/nft_geoip/US.ipv6:29668:5-57: Error: Could not process rule: File exists
Feb 28 09:53:40 examplehost.internal nft[93162]:     2a04:de40:c0::-2a04:de40:17f:ffff:ffff:ffff:ffff:ffff,
Feb 28 09:53:40 examplehost.internal nft[93162]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
β–‘β–‘ Subject: Unit process exited
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://forum.manjaro.org/c/support
β–‘β–‘ 
β–‘β–‘ An ExecStart= process belonging to unit nftables.service has exited.
β–‘β–‘ 
β–‘β–‘ The process' exit code is 'exited' and its exit status is 1.
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Failed with result 'exit-code'.
β–‘β–‘ Subject: Unit failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://forum.manjaro.org/c/support
β–‘β–‘ 
β–‘β–‘ The unit nftables.service has entered the 'failed' state with result 'exit-code'.
Feb 28 09:53:40 examplehost.internal systemd[1]: Failed to start Netfilter Tables.
β–‘β–‘ Subject: A start job for unit nftables.service has failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://forum.manjaro.org/c/support
β–‘β–‘ 
β–‘β–‘ A start job for unit nftables.service has finished with a failure.
β–‘β–‘ 
β–‘β–‘ The job identifier is 13826 and the job result is failed.
Feb 28 09:53:40 examplehost.internal systemd[1]: nftables.service: Consumed 626ms CPU time over 642ms wall clock time, 107.3M memory peak.
β–‘β–‘ Subject: Resources consumed by unit runtime
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://forum.manjaro.org/c/support
β–‘β–‘ 
β–‘β–‘ The unit nftables.service completed and consumed the indicated resources.
6

Found what this separate issue is:

After rebuilding nftables-geoip-db with MaxMind GeoLite2 API key, the issue with the @geo_* IP sets still happened. It seems there is a regression related to adding non-mutually exclusive (e.g. overlapping) large[1] IP ranges in batches. Before, nftables would just merge the sets. Now, it refuses to add them if there’s overlap.[2] Definitely a usability regression, and probably not intentional.

This is a separate userspace nft rule loading issue. Symptom: Rules adding multiple non-mutually exclusive (overlapping) large IP address ranges to be merged into a single set fail to load with errors like:

Error: Could not process rule: File exists

This is a regression, as it was working before. The fix for this is here, but is not yet cherry-picked into Arch Linux PKGBUILD. :eyes: Watching that one, as it blocks GeoIP firewall rules[3] and other complex IP sets from working.

  1. The issue actually had to do with internal workings of nftables (e.g. large netlink messages returning EEXIST) β†©οΈŽ

  2. My tests had mistakenly omitted auto-merge from the initial set creation, and used flush set rather than destroy set to cleanup/teardown. Thus, the later β€œre-created” set was not actually created with auto-merge properly, and led to incorrect assumptions interpreting the test results. Ignore the prior conclusions regarding overlapping sets & idempotency while adding non-mutually exclusive sets. β†©οΈŽ

  3. e.g. aur/nftables-geoip-db β†©οΈŽ

7

It is now with nftables 1:1.1.6-3.

1 Like
8

I can confirm this is fixed in extra/nftables 1:1.1.6-3 :tada: :confetti_ball: