Bug 1930873
| Summary: | backport "json: init parser state for every new buffer/file" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Eric Garver <egarver> | ||||
| Component: | nftables | Assignee: | Phil Sutter <psutter> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.4 | CC: | lmiksik, psutter, snemec, todoleza | ||||
| Target Milestone: | rc | Keywords: | Triaged, Upstream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | nftables-0.9.3-18.el8 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1935129 1973630 (view as bug list) | Environment: | |||||
| Last Closed: | 2021-05-18 15:10:15 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1935129 | ||||||
| Attachments: |
|
||||||
Created attachment 1758250 [details]
python reproducer
[root@rhel8 nftables]# python3 /tmp/reproducer.py
{'nftables': [{'flush': {'ruleset': None}}]}
{'nftables': [{'add': {'table': {'family': 'inet', 'name': 'firewalld'}}}]}
{'nftables': [{'add': {'chain': {'family': 'inet', 'table': 'firewalld', 'name': 'input'}}}]}
{'nftables': [{'add': {'rule': {'family': 'inet', 'table': 'firewalld', 'chain': 'input', 'expr': [{'accept': None}]}}}]}
{'nftables': [{'add': {'set': {'family': 'inet', 'table': 'firewalld', 'name': 'foobar', 'type': 'ipv4_addr'}}}]}
{'nftables': [{'add': {'element': {'family': 'inet', 'table': 'firewalld', 'name': 'foobar', 'elem': [{'prefix': {'addr': '1.2.3.0', 'len': 24}}]}}}]}
{'nftables': [{'delete': {'rule': {'family': 'inet', 'table': 'firewalld', 'chain': 'input', 'handle': 2}}}]}
FAIL: expected rc = 0, actual rc = -1
[root@rhel8 nftables]# make install # with upstream fix
[..]
[root@rhel8 nftables]# python3 /tmp/reproducer.py
{'nftables': [{'flush': {'ruleset': None}}]}
{'nftables': [{'add': {'table': {'family': 'inet', 'name': 'firewalld'}}}]}
{'nftables': [{'add': {'chain': {'family': 'inet', 'table': 'firewalld', 'name': 'input'}}}]}
{'nftables': [{'add': {'rule': {'family': 'inet', 'table': 'firewalld', 'chain': 'input', 'expr': [{'accept': None}]}}}]}
{'nftables': [{'add': {'set': {'family': 'inet', 'table': 'firewalld', 'name': 'foobar', 'type': 'ipv4_addr'}}}]}
{'nftables': [{'add': {'element': {'family': 'inet', 'table': 'firewalld', 'name': 'foobar', 'elem': [{'prefix': {'addr': '1.2.3.0', 'len': 24}}]}}}]}
{'nftables': [{'delete': {'rule': {'family': 'inet', 'table': 'firewalld', 'chain': 'input', 'handle': 2}}}]}
{'nftables': [{'flush': {'ruleset': None}}]}
PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (nftables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:1722 |
Upstream commit 267338ec3923 ("json: init parser state for every new buffer/file") fixes an issue in the json parser which causes subsequent valid commands to fail if the previous batch/buffer failed. This causes lots of problems for firewalld as a correctly failing command (e.g. invalid set add entry) causes following commands to fails.