-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhos-17.1.z
-
None
-
3
-
False
-
-
False
-
?
-
rhos-ops-day1day2-edpm
-
None
-
-
-
-
EDPM Sprint 8, EDPM Sprint 9, EDPM Sprint 10, EDPM Sprint 11, EDPM Sprint 12
-
5
-
Important
To Reproduce Steps to reproduce the behavior:
It looks like nftables is not 100% idempotent when applying ruleset: one of our customers is affected by a problem that may be reproduced in the following way:
[root@rhel-tools ~]# nft delete table ip filter
[root@rhel-tools ~]# cat iptables.nft
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
[root@rhel-tools ~]# nft -f iptables.nft
[root@rhel-tools ~]# nft delete table ip filter
[root@rhel-tools ~]# nft add table ip filter
[root@rhel-tools ~]# nft add chain ip filter INPUT
[root@rhel-tools ~]# nft add chain ip filter OUTPUT
[root@rhel-tools ~]# nft -f iptables.nft
iptables.nft:3:57-69: Error: Could not process rule: Operation not supported
type filter hook input priority filter; policy accept;
^^^^^^^^^^^^^
iptables.nft:9:58-70: Error: Could not process rule: Operation not supported
type filter hook output priority filter; policy accept;
We are working with networking support group on this and will let you know about our collaboration. At the same time, a fix for RHEL 9.2 nftables may not be delivered, so we may have to work around this on RHOSP side.
Ansible error:
2025-05-17 04:43:50,056 p=737529 u=stack n=ansible | 2025-05-17 04:43:50.055472 | 525400ef-0ce1-bd54-a021-000000001f88 | FATAL | Load empty ruleset | controller-0 | error={"changed": true, "cmd": ["nft", "-f", "/etc/nftables/iptables.nft"], "delta": "0:00:00.026530", "end": "2025-05-17 04:43:50.031347", "msg": "non-zero return code", "rc": 1, "start": "2025-05-17 04:43:50.004817", "stderr": "/etc/nftables/iptables.nft:47:57-69: Error: Could not process rule: Operation not supported\n type filter hook input priority filter; policy accept;\n ^^^^^^^^^^^^^\n/etc/nftables/iptables.nft:53:58-70: Error: Could not process rule: Operation not supported\n type filter hook output priority filter; policy accept;\n ^^^^^^^^^^^^^\n/etc/nftables/iptables.nft:61:55-67: Error: Could not process rule: Operation not supported\n type filter hook output priority raw; policy accept;\n ^^^^^^^^^^^^^", "stderr_lines": ["/etc/nftables/iptables.nft:47:57-69: Error: Could not process rule: Operation not supported", " type filter hook input priority filter; policy accept;", " ^^^^^^^^^^^^^", "/etc/nftables/iptables.nft:53:58-70: Error: Could not process rule: Operation not supported", " type filter hook output priority filter; policy accept;", " ^^^^^^^^^^^^^", "/etc/nftables/iptables.nft:61:55-67: Error: Could not process rule: Operation not supported", " type filter hook output priority raw; policy accept;", " ^^^^^^^^^^^^^"], "stdout": "", "stdout_lines": []}
Expected behavior
nftables rulesets are configured no matter which state chains have
Bug impact
Deployment may be blocked
Known workaround
Delete chains and proceed
- is depended on by
-
-
- In Progress
-
