Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-108861

nftables: Name-based flowtable hooks (with wildcard support)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • None
    • nftables
    • rhel-net-firewall
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • NST-firewall-25W32-35, NST-firewall-25W36-39, NST-firewall-25W40-43, NST-firewall-25W48-51, NST-firewall-25W52-26W3
    • Feature
    • Hide
      The `nftables` framework supports name-based `netdev` hooks with wildcards::
      +
      This enhancement introduces name-based `netdev` hooks with wildcard support to the `nftables` kernel component. This ensures defined rule sets remain stable regardless of interface presence. Previously, `nftables` would bind to each specified interface immediately upon adding a `flowtable` or `netdev`-family chain. Consequently, the transaction failed due to a non-existing interface, and removing an interface deleted the matching interface specifications or entire bound chains.
      +
      With this update, hooks for non-existing interfaces are accepted in an inactive state and bind to matching interfaces at the time they appear in the system. This dynamic registration also provides the possibility to accept simple interface (suffix) wildcards to bind a `flowtable` or `netdev`-family chain to any matching interface. You can inspect currently active hooks by using the `nft list hooks` command.
      Show
      The `nftables` framework supports name-based `netdev` hooks with wildcards:: + This enhancement introduces name-based `netdev` hooks with wildcard support to the `nftables` kernel component. This ensures defined rule sets remain stable regardless of interface presence. Previously, `nftables` would bind to each specified interface immediately upon adding a `flowtable` or `netdev`-family chain. Consequently, the transaction failed due to a non-existing interface, and removing an interface deleted the matching interface specifications or entire bound chains. + With this update, hooks for non-existing interfaces are accepted in an inactive state and bind to matching interfaces at the time they appear in the system. This dynamic registration also provides the possibility to accept simple interface (suffix) wildcards to bind a `flowtable` or `netdev`-family chain to any matching interface. You can inspect currently active hooks by using the `nft list hooks` command.
    • Done
    • Done
    • Done
    • Not Required
    • None

      Goal

      • See epic.

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • See epic.

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Marc Muehlfeld Marc Muehlfeld
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: