Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2596

nftables counter

XMLWordPrintable

    • nftables-1.0.4-4.el8_9
    • None
    • None
    • 25
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause (the user action or circumstances that trigger the bug):

      nftables version 0.9.8 changed the ordering of expressions attched to set
      elements when listing and consequently the expected ordering when restoring a
      ruleset.

      Consequence (what the user experience is when the bug occurs):

      A dump of a ruleset containing set elements with both 'expires' and 'counter'
      values created using a version of nftables prior to 0.9.8 would not restore
      anymore due to the unexpected ordering of the two values.

      Fix (what has changed to fix the bug; do not include overly technical details):
      Result (what happens now that the patch is applied):

      nftables-1.0.4-4.el8 contains a fix to make it compatible to the old ordering
      and thus correctly accept such dumps.
      Show
      Cause (the user action or circumstances that trigger the bug): nftables version 0.9.8 changed the ordering of expressions attched to set elements when listing and consequently the expected ordering when restoring a ruleset. Consequence (what the user experience is when the bug occurs): A dump of a ruleset containing set elements with both 'expires' and 'counter' values created using a version of nftables prior to 0.9.8 would not restore anymore due to the unexpected ordering of the two values. Fix (what has changed to fix the bug; do not include overly technical details): Result (what happens now that the patch is applied): nftables-1.0.4-4.el8 contains a fix to make it compatible to the old ordering and thus correctly accept such dumps.
    • x86_64
    • None

      What were you trying to do that didn't work?

      Restoring nftables ruleset

      Please provide the package NVR for which bug is seen:

      last working version:
      nftables-0.9.3-26.el8.x86_64 (from CentOS-Stream-8-20230822.0-x86_64-dvd1.iso)

      How reproducible:
      Steps to reproduce

      • Backup my nftables ruleset 
        # nft list ruleset > myruleset.nft  (from my CentOS-Stream-8-20230822.0-x86_64-dvd1.iso installation)
      • Here is the problematic section (from myruleset.nft):
          set wan_output_ipv4_dport_log {
        type ipv4_addr . inet_proto . inet_service
        size 65535
        flags dynamic,timeout
        timeout 30d
        elements = { 2.16.40.65 . udp . 53 expires 27d15h59m19s367ms counter packets 5 bytes 403,
                 2.16.40.66 . udp . 53 expires 27d20h14m10s211ms counter packets 140 bytes 13235,
                 2.16.40.67 . udp . 53 expires 25d17h46m29s20ms counter packets 211 bytes 18795,
                 2.16.40.128 . udp . 53 expires 29d18h13m13s114ms counter packets 2502 bytes 217032,
                 2.16.40.192 . udp . 53 expires 29d17h25m54s672ms counter packets 1446 bytes 135146,
                 }
    }

    chain WAN_OUTPUT_ACCEPT {
        update @wan_output_ipv4_dport_log \{ ip daddr . ip protocol . tcp dport counter }
    }
      • Restoring the "myruleset.nft" file on any version of CentOS 8 Stream (after CentOS-Stream-8-20230822.0-x86_64-dvd1.iso) 
        # nft -f myruleset.nft

myruleset.nft:80:64-70: Error: syntax error, unexpected counter, expecting comma or '}'
        elements = { 2.16.40.65 . udp . 53 expires 27d15h59m19s367ms counter packets 5 bytes 403,
                                                                     ^^^^^^^
myruleset.nft:81:9-18: Error: syntax error, unexpected string
                 2.16.40.66 . udp . 53 expires 27d20h14m10s211ms counter packets 140 bytes 13235,
                 ^^^^^^^^^^
myruleset.nft:82:9-18: Error: syntax error, unexpected string
                 2.16.40.67 . udp . 53 expires 25d17h46m29s20ms counter packets 211 bytes 18795,
                 ^^^^^^^^^^
myruleset.nft:83:9-19: Error: syntax error, unexpected string
                 2.16.40.128 . udp . 53 expires 29d18h13m13s114ms counter packets 2502 bytes 217032,
                 ^^^^^^^^^^^

...
      • One strange observation I came across:
      • From the SET wan_output_ipv4_dport_log, if you interchange the counter and expires options, like the following, there are no errors:
          set wan_output_ipv4_dport_log {
        type ipv4_addr . inet_proto . inet_service
        size 65535
        flags dynamic,timeout
        timeout 30d
        elements = { 2.16.40.65 . udp . 53 counter packets 5 bytes 403 expires 27d15h59m19s367ms,
                 2.16.40.66 . udp . 53 counter packets 140 bytes 13235 expires 27d20h14m10s211ms,
                 2.16.40.67 . udp . 53 counter packets 211 bytes 18795 expires 25d17h46m29s20ms,
                 2.16.40.128 . udp . 53 counter packets 2502 bytes 217032 expires 29d18h13m13s114ms,
                 2.16.40.192 . udp . 53 counter packets 1446 bytes 135146 expires 29d17h25m54s672ms,
                 }
    }

       

              psutter@redhat.com Phil Sutter
              jfdesaulniers Jean-François Désaulniers (Inactive)
              Tomas Dolezal Tomas Dolezal
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: