RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1679228 - [s390x] arptables not reporting src/dst ip addresses
Summary: [s390x] arptables not reporting src/dst ip addresses
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iptables
Version: 8.1
Hardware: s390x
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 1682316
Blocks: 1689408 1701002
TreeView+ depends on / blocked
 
Reported: 2019-02-20 16:17 UTC by Tomas Dolezal
Modified: 2020-11-14 15:27 UTC (History)
2 users (show)

Fixed In Version: iptables-1.8.2-10.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:17:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3573 0 None None None 2019-11-05 22:17:49 UTC

Description Tomas Dolezal 2019-02-20 16:17:12 UTC 
Description of problem:
source and destination address is omited in arptables -L and arptables-save commands.
nft ruleset is identical to one produced on x86_64 so it seems to be just presentation issue (and save issue as well)

Version-Release number of selected component (if applicable):
iptables-arptables-1.8.2-8.el8.s390x
kernel-4.18.0-67.el8.s390x

How reproducible:
always

Steps to Reproduce:
[root@ibm-z-118 arptables-smoketest]# arptables -N mychain
[root@ibm-z-118 arptables-smoketest]# arptables -A mychain -s 1.2.3.4 -j ACCEPT
[root@ibm-z-118 arptables-smoketest]# arptables -A mychain -s 1.2.3.4 -d 255.255.255.255 -j ACCEPT
[root@ibm-z-118 arptables-smoketest]# arptables -A mychain -s 1.2.3.4 -d 255.255.255.255/25 -j ACCEPT
[root@ibm-z-118 arptables-smoketest]# echo $?
0
[root@ibm-z-118 arptables-smoketest]# nft list ruleset
table arp filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}

	chain mychain {
		arp htype 1 arp hlen 6 arp plen 4 @nh,112,32 16909060 counter packets 0 bytes 0 accept
		arp htype 1 arp hlen 6 arp plen 4 @nh,112,32 16909060 @nh,192,32 4294967295 counter packets 0 bytes 0 accept
		arp htype 1 arp hlen 6 arp plen 4 @nh,112,32 16909060 @nh,192,32 & 4294967168 == 4294967168 counter packets 0 bytes 0 accept
	}
}
[root@ibm-z-118 arptables-smoketest]# arptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Chain mychain (0 references)
-j ACCEPT -i any -o any --h-length 0, pcnt=0 -- bcnt=0 
-j ACCEPT -i any -o any --h-length 0, pcnt=0 -- bcnt=0 
-j ACCEPT -i any -o any --h-length 0, pcnt=0 -- bcnt=0 

[root@ibm-z-118 arptables-smoketest]# arptables-save
*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
:mychain -
-A mychain -j ACCEPT --h-length 0
-A mychain -j ACCEPT --h-length 0
-A mychain -j ACCEPT --h-length 0

Actual results:
-s IP -d IP are missing in rules

Expected results:
# arptables-save
*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
:mychain -
-A mychain -j ACCEPT -s 1.2.3.4
-A mychain -j ACCEPT -s 1.2.3.4 -d 255.255.255.255
-A mychain -j ACCEPT -s 1.2.3.4 -d 255.255.255.128/25

Additional info:
Comment 1 Phil Sutter 2019-02-26 18:49:07 UTC 
Upstream commit to backport:

commit d68672a641439b72bccfcb39d50f26fe3f915c19
Author: Florian Westphal <fw>
Date:   Fri Feb 22 13:26:05 2019 +0100

    arptables-nft: fix decoding of hlen on bigendian platforms
    
    The existing test fail with:
    extensions/libarpt_standard.t: ERROR: line 2 (cannot find: arptables -I INPUT -s 192.168.0.1)
    
    ... because hlen is 0 instead of expected "6".
    The rule is correct, i.e. this is a decode/display bug: arp_hlen is
    specified as 'unsigned short' instead of uint8_t.
    
    On LSB systems, this doesn't matter but on MSB the value then is '0x600'
    instead of '0x006' which becomes 0 when assignment to the u8 header field.
    
    Signed-off-by: Florian Westphal <fw>
    Acked-by: Phil Sutter <phil>
Comment 7 errata-xmlrpc 2019-11-05 22:17:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3573
Note You need to log in before you can comment on or make changes to this bug.