Bug 2219873
| Summary: | RFE: Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Chris Barton <progeny-ethers.0p> |
| Component: | nftables | Assignee: | Phil Sutter <psutter> |
| Status: | ASSIGNED --- | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | todoleza |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Probably resolved by backporting the simple commit 9cb501168a623 ("parser_bison: allow to use quota in sets"). I don't see a respective patch for JSON parser though, maybe upstream lacks this feature entirely.
|
Description of problem: Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9 Version-Release number of selected component (if applicable): nftables-1.0.4-10.el9_1.x86_64 How reproducible: Always Steps to Reproduce: 1. Use nft -f to load the following ROOT rhel9 ~% cat /etc/sysconfig/nftables table ip filter { set outbound_quota { type ipv4_addr size 65535 flags dynamic elements = { 10.0.0.44 quota over 200 mbytes } } } Actual results: ROOT rhel9 ~% nft -f /etc/sysconfig/nftables /etc/sysconfig/nftables:6:40-44: Error: syntax error, unexpected quota, expecting comma or '}' elements = { 10.0.0.44 quota over 200 mbytes } ^^^^^ Expected results: The element should load with nft $?=0 Additional info: Loading the same element is possible in RHEL9 via the packet path chain OUTPUT { type filter hook output priority filter; policy accept; add @outbound_quota { ip saddr quota over 200 mbytes } drop } When I build and install nftables-1.0.7-1.fc39.src.rpm from Fedora rawhide, the problem goes away and the element with a quota loads successfully via nft -f.