Bug 2130721

Summary: nft: netlink_delinearize.c:2695: netlink_delinearize_rule: Assertion `pctx->table != NULL' failed.
Product: Red Hat Enterprise Linux 9 Reporter: Phil Sutter <psutter>
Component: nftablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Jiri Peska <jpeska>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.2CC: egarver, jmaxwell, jpeska, psutter, qe-baseos-daemons, todoleza
Target Milestone: rcKeywords: Triaged, Upstream
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nftables-1.0.4-8.el9_1 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2127774 Environment:
Last Closed: 2023-02-28 08:19:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2127774    
Bug Blocks:    

Comment 2 Phil Sutter 2022-09-30 14:12:08 UTC 
Upstream commit to backport:

commit 545edb7a8ef0a8acf991b1b7857fddc24d7b151a
Author: Phil Sutter <phil>
Date:   Wed Sep 28 23:26:42 2022 +0200

    monitor: Sanitize startup race condition
    
    During startup, 'nft monitor' first fetches the current ruleset and then
    keeps this cache up to date based on received events. This is racey, as
    any ruleset changes in between the initial fetch and the socket opening
    are not recognized.
    
    This script demonstrates the problem:
    
    | #!/bin/bash
    |
    | while true; do
    |       nft flush ruleset
    |       iptables-nft -A FORWARD
    | done &
    | maniploop=$!
    |
    | trap "kill $maniploop; kill \$!; wait" EXIT
    |
    | while true; do
    |       nft monitor rules >/dev/null &
    |       sleep 0.2
    |       kill $!
    | done
    
    If the table add event is missed, the rule add event callback fails to
    deserialize the rule and calls abort().
    
    Avoid the inconvenient program exit by returning NULL from
    netlink_delinearize_rule() instead of aborting and make callers check
    the return value.
    
    Signed-off-by: Phil Sutter <phil>
Comment 3 Phil Sutter 2023-01-11 14:38:32 UTC 
Jiri, please ACK for RHEL9.1.z.
Comment 12 errata-xmlrpc 2023-02-28 08:19:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nftables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0950