Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65346

Rebase nftables to version 1.1.1

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-10.0
    • rhel-10.0
    • nftables
    • None
    • nftables-1.1.1-3.el10
    • No
    • Moderate
    • Rebase
    • rhel-net-firewall
    • ssg_networking
    • 18
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .RHEL 10 provides `nftables` version 1.1.1

      The RHEL `nftables` framework has implemented changes from upstream versions 1.1.0 and 1.1.1. This update provides multiple bug fixes and enhancements. Notable changes include:

      * Added support for multiple devices in JSON format.

      * Increased performance when listing tables.

      * Added virtual local area network (VLAN) ID match and set support, including the 802.1ad (Q-in-Q) standard.

      * Enabled zero burst in byte rate limiter.

      * Added egress support for `list hooks`.

      * Fixed listing inconsistencies in the `nft list hooks` command.

      For more details and a full list of changes, see:

      * link:https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt[1.1.0. upstream release notes].

      * link:https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.1.txt[1.1.1. upstream release notes].

      Show
      .RHEL 10 provides `nftables` version 1.1.1 The RHEL `nftables` framework has implemented changes from upstream versions 1.1.0 and 1.1.1. This update provides multiple bug fixes and enhancements. Notable changes include: * Added support for multiple devices in JSON format. * Increased performance when listing tables. * Added virtual local area network (VLAN) ID match and set support, including the 802.1ad (Q-in-Q) standard. * Enabled zero burst in byte rate limiter. * Added egress support for `list hooks`. * Fixed listing inconsistencies in the `nft list hooks` command. For more details and a full list of changes, see: * link: https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt [1.1.0. upstream release notes]. * link: https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.1.txt [1.1.1. upstream release notes].
    • Done
    • None

      Downstream is two releases behind. My script identifies the following fixes which should be backported on top:

      95017b8c8f10a ("tests: shell: fix spurious dump failure in vmap timeout test")
      570320ab9a075 ("libnftables-json: fix raw payload expression documentation")
      20f1c60ac8c88 ("src: collapse set element commands from parser")
      42b081df74772 ("rule: netlink attribute offset is uint32_t for struct nlerr_loc")
      68d2de3ca6c6e ("src: fix extended netlink error reporting with large set elements")
      193faa5475a5d ("json: collapse set element commands from parser")
      c1c0c54e237c8 ("tests: py: Fix for storing payload into missing file")
      

      Extra fixes missing a tag:

      c416416b03d80 ("tests: monitor: fix up test case breakage")
      

      Features worth backporting while at it:

      be4b61c05a249 ("doc: extend description of fib expression")
      bb6312484af93 ("json: Support typeof in set and map types")
      73a8adfc2432e ("monitor: Recognize flowtable add/del events")
      

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: