Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-121194

Rebase nftables in c10s

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • CentOS Stream 10, rhel-10.2
    • nftables
    • None
    • nftables-1.1.5-3.el10
    • Moderate
    • 2
    • rhel-net-firewall
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • NST-firewall-25W44-47, NST-firewall-25W48-51
    • Rebase
    • Hide
      Version: 1.1.5
      List of highlights:

      - Reduced memory consumption with sets and maps

      - Fixes and improvements to --optimize

      - Allow for protocol dependency on sets, eg.

          table inet test {
             set protos {
                     typeof meta l4proto
                     elements = { tcp, udp }
             }

             chain prerouting {
                     type filter hook prerouting priority mangle; policy accept;
                     meta l4proto @protos tproxy to :1088
             }
          }

      - Set element auto-merge now skips elements with timeout/expiration.

      - Allow to use queue with typeof.

          table inet t {
             map get_queue_id {
                     typeof ip saddr . ip daddr . tcp dport : queue
                     elements = { 127.0.0.1 . 127.0.0.1 . 22 : 1,
                                  127.0.0.1 . 127.0.0.2 . 22 : 2 }
             }

             chain test {
                     queue flags bypass to ip saddr . ip daddr . tcp dport map @get_queue_id
             }
          }

      - Update nft monitor to report flowtable events.

      - Allow for listing sets with:

          list sets inet foo

        for consistency with existing commands. Previous versions require the 'table'
        keyword for this to work, ie.

          list sets table inet foo

      - Use range expression to represent a range, instead of two comparisons.

          - [ cmp gte reg 1 0x00005000 ]
          - [ cmp lte reg 1 0x00005a00 ]
          + [ range eq reg 1 0x00005000 0x00005a00 ]

      - Improve mptcp support with symbol table for subtypes:

          set s13 {
                   typeof tcp option mptcp subtype
                   elements = { mp-join, dss }
          }

          # nft describe tcp option mptcp subtype
          exthdr expression, datatype integer (mptcp option subtype) (basetype integer), 4 bits

          pre-defined symbolic constants (in decimal):
              mp-capable 0
              mp-join 1
              dss 2
              add-addr 3
              remove-addr 4
              mp-prio 5
              mp-fail 6
              mp-fastclose 7
              mp-tcprst 8

      - Support for mangling bitfield headers, eg.

          ... ip dscp set ip dscp | 0x1

      - Print set element with multi-word description in single one line.
        If the set element:

          - represents a mapping
          - has a timeout
          - has a comment
          - has counter/quota/limit
          - concatenation (already printed in a single line before this patch)

        ie. if the set element requires several words, then print it in one
        single line, eg.

          table ip x {
                set y {
                      typeof ip saddr
                      counter
                      elements = { 192.168.10.35 counter packets 0 bytes 0,
                                   192.168.10.101 counter packets 0 bytes 0,
                                   192.168.10.135 counter packets 0 bytes 0 }
                }
          }

      - Fix extended error reporting with large set elements.

      - Fix incorrect removal of meta nfproto in listings.

            ... meta nfproto ipv4 ct mark 0x00000001
            ... meta nfproto ipv6 ct protocol 6

      - Fix get command with interval sets/maps:

          # nft get element x y { 1.1.1.2 }
          table ip x {
                  map y {
                          typeof ip saddr : meta mark
                          counter
                          flags interval,timeout
                          elements = { 1.1.1.1-1.1.1.10 timeout 10m : 20 }
                  }
          }

      - Fix reset command with interval sets/maps too:

          # nft reset element inet filter intervalset { 1.2.3.4 }

      - Do not remove layer 4 protocol dependency when listing raw expressions, eg.

          meta l4proto 91 @th,0,16 0x0 accept

      - Support for typeof in JSON.

      - Incorrect bytecode for vlan pcp mangling from netdev family chains
        such as ingress/egress:

           ... vlan pcp set 6 counter

      - Bogus element in large concatenated set ranges, leading to:

            16777216 . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

        instead of:

           "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

      - Add a 'check' fib result to check for routes:

           ... fib daddr . iif check exists
           ... fib daddr . iif check missing

        Allow to use it in maps:

           ... fib daddr check vmap { missing : drop, exists : accept }

        and set statements too:

           ... meta mark set fib daddr check . ct mark map { exists . 0x00000000 : 0x0000000a, missing . 0x00000001 : 0x0000000b }

      - Better error reporting with re-declarations set/map with different types:

           Error: Cannot merge set with existing datamap of same name
            set z {
                ^

      - Display number of set elements in listing:

          table ip t {
             set s {
                 type ipv4_addr
                 size 65535 # count 1
                 flags dynamic
                 counter
                 elements = { 1.1.1.1 counter packets 1 bytes 11 }
             }

      - Allow to delete map via handle

          delete map t handle 4000

        N.B: In previous version, this is already possible for sets, this is
             fixing an inconsistency.

      - Harden json parser detected via fuzzy testing.

      - Quote device name in basechain and flowtable declarations, eg.

       table netdev filter2 {
              chain Main_Ingress2 {
                     type filter hook ingress devices = { "eth0", "lo" } priority -500; policy accept;
              }
       }

      - Fix misleading "No buffer space available" error when kernel reports
        too many errors back to userspace.
      Show
      Version: 1.1.5 List of highlights: - Reduced memory consumption with sets and maps - Fixes and improvements to --optimize - Allow for protocol dependency on sets, eg.     table inet test {        set protos {                typeof meta l4proto                elements = { tcp, udp }        }        chain prerouting {                type filter hook prerouting priority mangle; policy accept;                meta l4proto @protos tproxy to :1088        }     } - Set element auto-merge now skips elements with timeout/expiration. - Allow to use queue with typeof.     table inet t {        map get_queue_id {                typeof ip saddr . ip daddr . tcp dport : queue                elements = { 127.0.0.1 . 127.0.0.1 . 22 : 1,                             127.0.0.1 . 127.0.0.2 . 22 : 2 }        }        chain test {                queue flags bypass to ip saddr . ip daddr . tcp dport map @get_queue_id        }     } - Update nft monitor to report flowtable events. - Allow for listing sets with:     list sets inet foo   for consistency with existing commands. Previous versions require the 'table'   keyword for this to work, ie.     list sets table inet foo - Use range expression to represent a range, instead of two comparisons.     - [ cmp gte reg 1 0x00005000 ]     - [ cmp lte reg 1 0x00005a00 ]     + [ range eq reg 1 0x00005000 0x00005a00 ] - Improve mptcp support with symbol table for subtypes:     set s13 {              typeof tcp option mptcp subtype              elements = { mp-join, dss }     }     # nft describe tcp option mptcp subtype     exthdr expression, datatype integer (mptcp option subtype) (basetype integer), 4 bits     pre-defined symbolic constants (in decimal):         mp-capable 0         mp-join 1         dss 2         add-addr 3         remove-addr 4         mp-prio 5         mp-fail 6         mp-fastclose 7         mp-tcprst 8 - Support for mangling bitfield headers, eg.     ... ip dscp set ip dscp | 0x1 - Print set element with multi-word description in single one line.   If the set element:     - represents a mapping     - has a timeout     - has a comment     - has counter/quota/limit     - concatenation (already printed in a single line before this patch)   ie. if the set element requires several words, then print it in one   single line, eg.     table ip x {           set y {                 typeof ip saddr                 counter                 elements = { 192.168.10.35 counter packets 0 bytes 0,                              192.168.10.101 counter packets 0 bytes 0,                              192.168.10.135 counter packets 0 bytes 0 }           }     } - Fix extended error reporting with large set elements. - Fix incorrect removal of meta nfproto in listings.       ... meta nfproto ipv4 ct mark 0x00000001       ... meta nfproto ipv6 ct protocol 6 - Fix get command with interval sets/maps:     # nft get element x y { 1.1.1.2 }     table ip x {             map y {                     typeof ip saddr : meta mark                     counter                     flags interval,timeout                     elements = { 1.1.1.1-1.1.1.10 timeout 10m : 20 }             }     } - Fix reset command with interval sets/maps too:     # nft reset element inet filter intervalset { 1.2.3.4 } - Do not remove layer 4 protocol dependency when listing raw expressions, eg.     meta l4proto 91 @th,0,16 0x0 accept - Support for typeof in JSON. - Incorrect bytecode for vlan pcp mangling from netdev family chains   such as ingress/egress:      ... vlan pcp set 6 counter - Bogus element in large concatenated set ranges, leading to:       16777216 . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"   instead of:      "lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890" - Add a 'check' fib result to check for routes:      ... fib daddr . iif check exists      ... fib daddr . iif check missing   Allow to use it in maps:      ... fib daddr check vmap { missing : drop, exists : accept }   and set statements too:      ... meta mark set fib daddr check . ct mark map { exists . 0x00000000 : 0x0000000a, missing . 0x00000001 : 0x0000000b } - Better error reporting with re-declarations set/map with different types:      Error: Cannot merge set with existing datamap of same name       set z {           ^ - Display number of set elements in listing:     table ip t {        set s {            type ipv4_addr            size 65535 # count 1            flags dynamic            counter            elements = { 1.1.1.1 counter packets 1 bytes 11 }        } - Allow to delete map via handle     delete map t handle 4000   N.B: In previous version, this is already possible for sets, this is        fixing an inconsistency. - Harden json parser detected via fuzzy testing. - Quote device name in basechain and flowtable declarations, eg.  table netdev filter2 {         chain Main_Ingress2 {                type filter hook ingress devices = { "eth0", "lo" } priority -500; policy accept;         }  } - Fix misleading "No buffer space available" error when kernel reports   too many errors back to userspace.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      There are 283 commits (of which 123 carry a Fixes: tag) between v1.1.1 (base version in c10s) and v1.1.5 (current upstream release).

      While at it, backport fixes to v1.1.5 from upstream HEAD as identified by their Fixes: tag:

      7f37f3ca55810 ("parser_bison: remove leftover utf-8 character in error")
441ff666cb229 ("tools: gitignore nftables.service file")
ed1b5b672b2ee ("monitor: Quote device names in chain declarations, too")
419338d96bdb1 ("tests: monitor: Fix regex collecting expected echo output")
083c532a2e179 ("tests: shell: skip two bitwise tests if multi-register support isn't available")
6c04d24d16f1d ("monitor: Inform JSON printer when reporting an object delete event")
3af59817b8d39 ("libnftables: do not re-add default include directory in include search path")
b9516b0a4dfb6 ("doc: fix tcpdump example")
b30ad0c25b7b4 ("src: parser_json: fix format string bugs")
aec699af2a006 ("datatype: Fix boolean type on Big Endian")
695ee5a8b174f ("optimize: Fix verdict expression comparison")
4282c50e4986c ("tests: py: any/tcpopt.t.json: Fix JSON equivalent")
1801480314bf2 ("tests: py: any/ct.t.json.output: Drop leftover entry")
b028f8ce616bb ("tests: py: inet/osf.t: Fix element ordering in JSON equivalents")
b39ba950325bb ("tests: shell: fix typo in vmap_timeout test script")
31007975ccf5a ("build: don't install ancillary files without systemd service file")
35cd3e7cff079 ("doc: don't suggest to disable GSO")
454f361434522 ("doc: libnftables-json: Describe RULESET object")

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: