Bug 1838355

Summary:	nftables rules with dynamic flag only work from RHEL8.2
Product:	Red Hat Enterprise Linux 8	Reporter:	Jonathan Maxwell <jmaxwell>
Component:	nftables	Assignee:	Phil Sutter <psutter>
Status:	CLOSED CURRENTRELEASE	QA Contact:	qe-baseos-daemons
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.1	CC:	mmuehlfe, todoleza
Target Milestone:	rc
Target Release:	8.0
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-06-29 11:55:28 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jonathan Maxwell 2020-05-21 01:26:51 UTC

Description of problem:

The documentation as per:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/getting-started-with-nftables_securing-networks

Says:

"Add a set named blacklist to the filter table:

# nft add set ip filter blacklist { type ipv4_addr \; flags dynamic, timeout \; timeout 5m \; }"

But that fails prior to RHEL8.2:

# nft add set ip filter blacklist { type ipv4_addr \; flags dynamic, timeout \; timeout 5m \; }
Error: syntax error, unexpected string, expecting constant or interval or timeout
add set ip filter blacklist { type ipv4_addr ; flags dynamic, timeout ; timeout 5m ; }

Version-Release number of selected component (if applicable):

RHEL8.0/8.1

# uname -r
4.18.0-147.5.1.el8_1.x86_64

# rpm -qa|grep nfta
nftables-0.9.0-14.el8.x86_64

How reproducible:

Always.

Steps to Reproduce:

On RHEL8.1:

# nft add set ip filter blacklist { type ipv4_addr \; flags dynamic, timeout \; timeout 5m \; }
Error: syntax error, unexpected string, expecting constant or interval or timeout
add set ip filter blacklist { type ipv4_addr ; flags dynamic, timeout ; timeout 5m ; }

Actual results:

Customers expect the above nft command to succeed on all RHEL8 releases based on the current documentation. But the "dynamic flag" is not supported by the nftables prior to version nftables-0.9.3-12.el8 which ships with RHEL8.2.

Expected results:

Add a note to section 6.15. in:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/getting-started-with-nftables_securing-networks

Saying that the "dynamic" flag is only supported from RHEL8.2 onwards. Or if nftables is updated to nftables-0.9.3-12.el8 and greater on prior RHEL8 releases.

Comment 4 Phil Sutter 2020-06-09 14:54:39 UTC

Marc,

Can you possibly take over here?

Thanks, Phil

Comment 6 Phil Sutter 2020-06-22 14:56:07 UTC

Jon, could you possibly have a look at the updated docs and ACK/NACK?

Comment 7 Jonathan Maxwell 2020-06-28 03:07:19 UTC

(In reply to Phil Sutter from comment #6)
> Jon, could you possibly have a look at the updated docs and ACK/NACK?

Phil, Mark, ACK that looks okay to me.

Comment 8 Phil Sutter 2020-06-29 11:55:28 UTC

(In reply to Jonathan Maxwell from comment #7)
> (In reply to Phil Sutter from comment #6)
> > Jon, could you possibly have a look at the updated docs and ACK/NACK?
> 
> Phil, Mark, ACK that looks okay to me.

Thanks for confirming, Jon.