Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5806

Actively reject untranslatable compat expressions

XMLWordPrintable

    • nftables-1.0.4-5.el8_10
    • None
    • Important
    • rhel-sst-networking-core
    • ssg_networking
    • 7
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Requested
    • None
    • If docs needed, set a value
    • None

      +++ This bug was initially created as a clone of Bug #2176859 +++

      When printing a ruleset containing compat expressions for which libxtables
      didn't provide a translation, nft used to print info about the expression after
      a comment ('#') marker:

      # iptables -A FORWARD -p tcp -m osf --genre linux
# nft list ruleset
table ip filter {
	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		meta l4proto tcp # OS fingerprint match linux counter packets 0 bytes 0
	}
}

      This is problematic if the output is used unattendedly for a later ruleset
      restore. As seen in the example above, not just the osf match itself is lost
      but the following counter statement as well.

      To avoid subtle ruleset breakages like this, upstream changed the way these
      expressions are printed:

      table ip filter {
	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		meta l4proto tcp xt match osf counter packets 0 bytes 0
	}
}

      This seems worse, but the parser will recognize "match" and "target" keywords
      and print a message pointing out the details:

      # nft list ruleset | nft -f -
# Warning: table ip filter is managed by iptables-nft, do not touch!
/dev/stdin:4:20-33: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
		meta l4proto tcp xt match "osf" counter packets 0 bytes 0
		                 ^^^^^^^^^^^^^^

      The example also shows the non-intrusive warning emitted which makes sense on
      its own because perfectly translated rulesets may be unparsable even by the
      version of iptables-nft which created them due to missing reverse translation
      capability for most translations.

      The list of proposed backports is:

      c327e9331e50d Warn for tables with compat expressions in rules
5c30feeee5cfe xt: Delay libxtables access until translation
e432477f5c013 xt: Purify enum nft_xt_type
79195a8cc9e9d xt: Rewrite unsupported compat expression dumping
e41c53ca5b043 xt: Fall back to generic printing from translation
aef5330fe7827 xt: Fix fallback printing for extensions matching keywords

      Due to the high impact I propose to backport these commits until RHEL8.6.z.

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Tomas Dolezal Tomas Dolezal
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: