Bug 1737171

Summary: Broken nftables rules loading in kernel 5.2
Product: [Fedora] Fedora Reporter: nucleo <alekcejk>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: airlied, bskeggs, hdegoede, ichavero, itamar, jarodwilson, jeremy, jglisse, john.j5live, jonathan, josef, kernel-maint, labbott, linville, mchehab, mjg59, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-5.2.7-200.fc30 kernel-5.2.7-100.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-11 01:13:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nucleo 2019-08-03 09:29:17 UTC
1. Please describe the problem:
nftables rule can be added only after manual loading of kernel module

2. What is the Version-Release number of the kernel:
kernel-5.2.5-200.fc30

3. Did it work previously in Fedora? If so, what kernel version did the issue
manual module loading not needed with kernel 5.1.20-300.fc30.x86_64

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

Add ip nat table: "nft -f /etc/nftables/ipv4-nat.nft"
Add rule "nft add rule ip nat prerouting tcp dport 2222 counter redirect to :22"
Result with 5.2.5 kernel "Error: Could not process rule: No such file or directory", with 5.1.20 no error.
Load module "modprobe nft_redir" and try again to add rule.

Comment 1 Laura Abbott 2019-08-05 16:37:29 UTC
Does this work with the rawhide kernel? That will determine what kind of steps we need to take.

Comment 2 nucleo 2019-08-05 20:35:42 UTC
In Rawhide with kernel 5.3.0-0.rc2.git4.1.fc31.x86_64 no error when adding rule "nft add rule ip nat prerouting tcp dport 2222 counter redirect to :22".
But if I boot Rawhide with kernel 5.2.6-200.fc30.x86_64 then then I get a "No such file or directory" error.

Comment 3 Laura Abbott 2019-08-06 17:13:54 UTC
Okay that means that it was fixed in rawhide and should make its way to stable eventually. The networking fixes are a bit slower for stable so if we can identify the specific fix we can bring it in sooner. If you want to do a reverse bisect (see which commit fixed the problem) that would probably be the fastest.

Comment 4 Laura Abbott 2019-08-06 19:12:20 UTC
I have hunch the fix is https://github.com/torvalds/linux/commit/f41828ee10b36644bb2b2bfa9dd1d02f55aa0516, please test the scratch build at https://koji.fedoraproject.org/koji/taskinfo?taskID=36836252 when it finishes

Comment 5 nucleo 2019-08-06 23:34:36 UTC
nft_redir loading fixed with 5.2.6-200.rhbz1737171.fc30.x86_64

Comment 6 nucleo 2019-08-06 23:51:16 UTC
linux-5.2.7 still with MODULE_ALIAS_NFT_EXPR("nat");

Comment 7 Fedora Update System 2019-08-08 15:40:37 UTC
FEDORA-2019-e37c348348 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e37c348348

Comment 8 Fedora Update System 2019-08-08 15:42:18 UTC
FEDORA-2019-6bda4c81f4 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bda4c81f4

Comment 9 Fedora Update System 2019-08-09 00:52:39 UTC
kernel-5.2.7-200.fc30, kernel-headers-5.2.7-200.fc30, kernel-tools-5.2.7-200.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e37c348348

Comment 10 Fedora Update System 2019-08-09 01:36:08 UTC
kernel-5.2.7-100.fc29, kernel-headers-5.2.7-100.fc29, kernel-tools-5.2.7-100.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bda4c81f4

Comment 11 Fedora Update System 2019-08-11 01:13:47 UTC
kernel-5.2.7-200.fc30, kernel-headers-5.2.7-200.fc30, kernel-tools-5.2.7-200.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-08-11 01:42:19 UTC
kernel-5.2.7-100.fc29, kernel-headers-5.2.7-100.fc29, kernel-tools-5.2.7-100.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.