• nftables-1.0.4-4.el8_9
    • 25
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause (the user action or circumstances that trigger the bug):

      nftables version 0.9.8 changed the ordering of expressions attched to set
      elements when listing and consequently the expected ordering when restoring a
      ruleset.

      Consequence (what the user experience is when the bug occurs):

      A dump of a ruleset containing set elements with both 'expires' and 'counter'
      values created using a version of nftables prior to 0.9.8 would not restore
      anymore due to the unexpected ordering of the two values.

      Fix (what has changed to fix the bug; do not include overly technical details):
      Result (what happens now that the patch is applied):

      nftables-1.0.4-4.el8 contains a fix to make it compatible to the old ordering
      and thus correctly accept such dumps.
      Show
      Cause (the user action or circumstances that trigger the bug): nftables version 0.9.8 changed the ordering of expressions attched to set elements when listing and consequently the expected ordering when restoring a ruleset. Consequence (what the user experience is when the bug occurs): A dump of a ruleset containing set elements with both 'expires' and 'counter' values created using a version of nftables prior to 0.9.8 would not restore anymore due to the unexpected ordering of the two values. Fix (what has changed to fix the bug; do not include overly technical details): Result (what happens now that the patch is applied): nftables-1.0.4-4.el8 contains a fix to make it compatible to the old ordering and thus correctly accept such dumps.
    • x86_64
    • None

      What were you trying to do that didn't work?

      Restoring nftables ruleset

      Please provide the package NVR for which bug is seen:

      last working version:
      nftables-0.9.3-26.el8.x86_64 (from CentOS-Stream-8-20230822.0-x86_64-dvd1.iso)

      How reproducible:
      Steps to reproduce

      • Backup my nftables ruleset
        # nft list ruleset > myruleset.nft  (from my CentOS-Stream-8-20230822.0-x86_64-dvd1.iso installation)
        
      • Here is the problematic section (from myruleset.nft):
          set wan_output_ipv4_dport_log {
              type ipv4_addr . inet_proto . inet_service
              size 65535
              flags dynamic,timeout
              timeout 30d
              elements = { 2.16.40.65 . udp . 53 expires 27d15h59m19s367ms counter packets 5 bytes 403,
                       2.16.40.66 . udp . 53 expires 27d20h14m10s211ms counter packets 140 bytes 13235,
                       2.16.40.67 . udp . 53 expires 25d17h46m29s20ms counter packets 211 bytes 18795,
                       2.16.40.128 . udp . 53 expires 29d18h13m13s114ms counter packets 2502 bytes 217032,
                       2.16.40.192 . udp . 53 expires 29d17h25m54s672ms counter packets 1446 bytes 135146,
                       }
          }
      
          chain WAN_OUTPUT_ACCEPT {
              update @wan_output_ipv4_dport_log \{ ip daddr . ip protocol . tcp dport counter }
          }
      
      • Restoring the "myruleset.nft" file on any version of CentOS 8 Stream (after CentOS-Stream-8-20230822.0-x86_64-dvd1.iso)
        # nft -f myruleset.nft
        
        myruleset.nft:80:64-70: Error: syntax error, unexpected counter, expecting comma or '}'
                elements = { 2.16.40.65 . udp . 53 expires 27d15h59m19s367ms counter packets 5 bytes 403,
                                                                             ^^^^^^^
        myruleset.nft:81:9-18: Error: syntax error, unexpected string
                         2.16.40.66 . udp . 53 expires 27d20h14m10s211ms counter packets 140 bytes 13235,
                         ^^^^^^^^^^
        myruleset.nft:82:9-18: Error: syntax error, unexpected string
                         2.16.40.67 . udp . 53 expires 25d17h46m29s20ms counter packets 211 bytes 18795,
                         ^^^^^^^^^^
        myruleset.nft:83:9-19: Error: syntax error, unexpected string
                         2.16.40.128 . udp . 53 expires 29d18h13m13s114ms counter packets 2502 bytes 217032,
                         ^^^^^^^^^^^
        
        ...
        

      • One strange observation I came across:
      • From the SET wan_output_ipv4_dport_log, if you interchange the counter and expires options, like the following, there are no errors:
          set wan_output_ipv4_dport_log {
              type ipv4_addr . inet_proto . inet_service
              size 65535
              flags dynamic,timeout
              timeout 30d
              elements = { 2.16.40.65 . udp . 53 counter packets 5 bytes 403 expires 27d15h59m19s367ms,
                       2.16.40.66 . udp . 53 counter packets 140 bytes 13235 expires 27d20h14m10s211ms,
                       2.16.40.67 . udp . 53 counter packets 211 bytes 18795 expires 25d17h46m29s20ms,
                       2.16.40.128 . udp . 53 counter packets 2502 bytes 217032 expires 29d18h13m13s114ms,
                       2.16.40.192 . udp . 53 counter packets 1446 bytes 135146 expires 29d17h25m54s672ms,
                       }
          }
      

       

            psutter@redhat.com Phil Sutter
            jfdesaulniers Jean-François Désaulniers (Inactive)
            Tomas Dolezal Tomas Dolezal
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: