Bug 1763262
| Summary: | nftrace monitor verdict BUG: verdict expression length 2048 is too large | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Dolezal <todoleza> |
| Component: | nftables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | psutter, ptalbert, todoleza |
| Target Milestone: | rc | Keywords: | TestOnly |
| Target Release: | 8.2 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nftables-0.9.2-2.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:42:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
this is fixed in rebase nftables-0.9.2-2.el8.x86_64
# nft monitor
trace id 79a7bfd4 inet example_table incoming_traffic packet: iif "eth0" ether saddr fa:16:3e:bf:5c:ae ether daddr fa:16:3e:df:95:bc ip saddr 10.0.138.11 ip daddr 10.0.136.212 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 5866 ip protocol tcp ip length 60 tcp sport 60142 tcp dport 25 tcp flags == syn tcp window 29200
trace id 79a7bfd4 inet example_table incoming_traffic rule tcp dport 25 meta nftrace set 1 (verdict continue)
trace id 79a7bfd4 inet example_table incoming_traffic rule ip protocol vmap { tcp : jump tcp_packets, udp : jump udp_packets } (verdict jump tcp_packets)
trace id 79a7bfd4 inet example_table tcp_packets rule counter packets 495 bytes 364476 (verdict continue)
trace id 79a7bfd4 inet example_table tcp_packets verdict continue
trace id 79a7bfd4 inet example_table incoming_traffic verdict continue
trace id 79a7bfd4 inet example_table incoming_traffic policy accept
Hi Tomas, (In reply to Tomas Dolezal from comment #1) > this is fixed in rebase nftables-0.9.2-2.el8.x86_64 Cool, thanks for clarifying! Are you able to verify this officially for RHEL-8.2.0? Thanks, Phil yes, this should be easy to automate Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1774 |
Description of problem: nft monitor fails on ruleset with verdict map when there are nftrace-marked packets. It is not triggered when such packets are not comming Version-Release number of selected component (if applicable): nftables-0.9.0-14.el8.x86_64 How reproducible: always Steps to Reproduce: send a packet that gets nftrace mark and passes through vmap in this case 25/tcp from any machine table inet example_table { chain tcp_packets { counter } chain udp_packets { counter } chain incoming_traffic { type filter hook input priority 0; policy accept; tcp dport smtp nftrace set 1 ip protocol vmap { tcp : jump tcp_packets, udp : jump udp_packets } } } Actual results: trace id 1ee47dd1 inet example_table incoming_traffic packet: iif "eth0" ether saddr fa:16:3e:bf:5c:ae ether daddr fa:16:3e:df:95:bc ip saddr 10.0.138.11 ip daddr 10.0.136.212 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38330 ip protocol tcp ip length 60 tcp sport 60138 tcp dport smtp tcp flags == syn tcp window 29200 trace id 1ee47dd1 inet example_table incoming_traffic rule tcp dport smtp nftrace set 1 (verdict continue) trace id 1ee47dd1 inet example_table incoming_traffic rule ip protocol vmap { } (verdict BUG: verdict expression length 2048 is too large (2048 bits max)nft: datatype.c:265: verdict_jump_chain_print: Assertion `0' failed. Aborted (core dumped) Expected results: Additional info: