Bug 2443346

Summary: Fix crash when ops doesn't support udata
Product: [Fedora] Fedora Reporter: Phil Sutter <psutter>
Component: nftablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 43CC: extras-qa, kevin, psutter, scott-fedora, xzhou
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: nftables-1.1.3-6.fc43.1 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: 2443276 Environment:
Last Closed: 2026-03-01 00:53:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2443276    
Bug Blocks:    

Description Phil Sutter 2026-02-27 15:51:02 UTC 
+++ This bug was initially created as a clone of Bug #2443276 +++

Backport request for fix currently being applied to older Ubuntu releases:

Ref: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/2142552

From that bug:

[ Impact ]

 * When one uses newer & older nftables on the same host (for example from new and old containers) the old nftables can start crashing with segfaults.

 * This is very pronounced when deploying kubernetes and for example deploying istio or calico with containers that have newer nftables (newer than 1.1.1) and subsequently older nftables (on the host or another container) are used.

https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc

Whenever a new version adds udata support to an expression, then old
versions of nft will crash when trying to list such a ruleset generated
by a more recent version of nftables.

Fix this by falling back to 'type' format.

Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support')
Signed-off-by: Florian Westphal <email address hidden>
Reviewed-by: Pablo Neira Ayuso <email address hidden>

Also see:
- https://github.com/istio/istio/issues/58492



Reproducible: Always

Steps to Reproduce:
1. Add a set using a version of nftables > 1.1.3 (eg in a container in the host network namespace
# podman run --rm -it --privileged --network host quay.io/fedora/fedora:43 /bin/bash
{container}# dnf install -y nftables
{container}# nft add table test
{container}# nft 'add set test dummy { type ipv4_addr; }'

2. Attempt to list the ruleset on the F42 host: 
# nft list ruleset


Actual Results:
Segmentation fault (core dumped)

Expected Results:
List of current ruleset

Additional Information:
Newer versions of nftables add sets/chains that have udata added, and nftables 1.1.1 on F42 currently lacks the patch to correctly handle the udata, and crashes.

The fix is linked above, but the patch is as simple as:

--- a/src/netlink.c	2024-09-26 07:17:41.004675285 -0700
+++ b/src/netlink.c	2026-02-05 11:39:31.654321471 -0800
@@ -913,7 +913,7 @@

 	etype = nftnl_udata_get_u32(ud[NFTNL_UDATA_SET_TYPEOF_EXPR]);
 	ops = expr_ops_by_type_u32(etype);
-	if (!ops)
+	if (!ops || !ops->parse_udata)
 		return NULL;

 	expr = ops->parse_udata(ud[NFTNL_UDATA_SET_TYPEOF_DATA]);
 
Without the patch, any container with a reasonably new version of nftables (including F43+) in the host namespace can lead to nftables being unavailable on the host.

NOTE: this bug probably affects F41 as well... The bug is fixed in F43, but F43+ will also trigger the problem in F42 or below in the same network namespace.
Comment 1 Fedora Update System 2026-02-27 16:14:37 UTC 
FEDORA-2026-95887e17b6 (nftables-1.1.3-6.fc43.1) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-95887e17b6
Comment 2 Scott Shambarger 2026-02-27 18:49:01 UTC 
Of course, ideally it'd be nice to patch nftables 1.1.3+ to not trigger the crash in all older versions of nftables by only adding udata when the expression requires it... but to my knowledge no such a patch exists in upstream so that may prove more involved (and wouldn't cover use of complex expressions in newer nftables anyway).

But basically, until all affected containers use a patched (or newer) nftables, F43+ will trigger crashes in those older nftables if they're in the host network namespace. I hit this bug on F43 host using nftables which had containers running kube-proxy, calico and istio in nftables mode; they are all working on patching their nftables or limiting the tables they access.
Comment 3 Fedora Update System 2026-02-28 01:54:38 UTC 
FEDORA-2026-95887e17b6 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-95887e17b6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-95887e17b6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2026-03-01 00:53:19 UTC 
FEDORA-2026-95887e17b6 (nftables-1.1.3-6.fc43.1) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.