-
Story
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.2.0
-
nftables-1.0.9-1.el9
-
TestOnly
-
rhel-sst-networking-core
-
ssg_networking
-
7
-
Dev ack
-
False
-
None
-
None
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9
Version-Release number of selected component (if applicable):
nftables-1.0.4-10.el9_1.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Use nft -f to load the following
ROOT rhel9 ~% cat /etc/sysconfig/nftables
table ip filter {
set outbound_quota {
type ipv4_addr
size 65535
flags dynamic
elements = { 10.0.0.44 quota over 200 mbytes }
}
}
Actual results:
ROOT rhel9 ~% nft -f /etc/sysconfig/nftables
/etc/sysconfig/nftables:6:40-44: Error: syntax error, unexpected quota, expecting comma or '}'
elements = { 10.0.0.44 quota over 200 mbytes }
^^^^^
Expected results:
The element should load with nft $?=0
Additional info:
Loading the same element is possible in RHEL9 via the packet path
chain OUTPUT {
type filter hook output priority filter; policy accept;
add @outbound_quota { ip saddr quota over 200 mbytes } drop
}
When I build and install nftables-1.0.7-1.fc39.src.rpm from Fedora rawhide, the problem goes away and the element with a quota loads successfully via nft -f.
- is incorporated by
-
-
- Closed
-
- external trackers
- links to
-
RHBA-2024:137393
nftables bug fix and enhancement update
