Bug 1737171 - Broken nftables rules loading in kernel 5.2
Summary: Broken nftables rules loading in kernel 5.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-03 09:29 UTC by nucleo
Modified: 2019-08-11 01:42 UTC (History)
17 users (show)

Fixed In Version: kernel-5.2.7-200.fc30 kernel-5.2.7-100.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-11 01:13:47 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description nucleo 2019-08-03 09:29:17 UTC
1. Please describe the problem:
nftables rule can be added only after manual loading of kernel module

2. What is the Version-Release number of the kernel:
kernel-5.2.5-200.fc30

3. Did it work previously in Fedora? If so, what kernel version did the issue
manual module loading not needed with kernel 5.1.20-300.fc30.x86_64

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

Add ip nat table: "nft -f /etc/nftables/ipv4-nat.nft"
Add rule "nft add rule ip nat prerouting tcp dport 2222 counter redirect to :22"
Result with 5.2.5 kernel "Error: Could not process rule: No such file or directory", with 5.1.20 no error.
Load module "modprobe nft_redir" and try again to add rule.

Comment 1 Laura Abbott 2019-08-05 16:37:29 UTC
Does this work with the rawhide kernel? That will determine what kind of steps we need to take.

Comment 2 nucleo 2019-08-05 20:35:42 UTC
In Rawhide with kernel 5.3.0-0.rc2.git4.1.fc31.x86_64 no error when adding rule "nft add rule ip nat prerouting tcp dport 2222 counter redirect to :22".
But if I boot Rawhide with kernel 5.2.6-200.fc30.x86_64 then then I get a "No such file or directory" error.

Comment 3 Laura Abbott 2019-08-06 17:13:54 UTC
Okay that means that it was fixed in rawhide and should make its way to stable eventually. The networking fixes are a bit slower for stable so if we can identify the specific fix we can bring it in sooner. If you want to do a reverse bisect (see which commit fixed the problem) that would probably be the fastest.

Comment 4 Laura Abbott 2019-08-06 19:12:20 UTC
I have hunch the fix is https://github.com/torvalds/linux/commit/f41828ee10b36644bb2b2bfa9dd1d02f55aa0516, please test the scratch build at https://koji.fedoraproject.org/koji/taskinfo?taskID=36836252 when it finishes

Comment 5 nucleo 2019-08-06 23:34:36 UTC
nft_redir loading fixed with 5.2.6-200.rhbz1737171.fc30.x86_64

Comment 6 nucleo 2019-08-06 23:51:16 UTC
linux-5.2.7 still with MODULE_ALIAS_NFT_EXPR("nat");

Comment 7 Fedora Update System 2019-08-08 15:40:37 UTC
FEDORA-2019-e37c348348 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e37c348348

Comment 8 Fedora Update System 2019-08-08 15:42:18 UTC
FEDORA-2019-6bda4c81f4 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bda4c81f4

Comment 9 Fedora Update System 2019-08-09 00:52:39 UTC
kernel-5.2.7-200.fc30, kernel-headers-5.2.7-200.fc30, kernel-tools-5.2.7-200.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e37c348348

Comment 10 Fedora Update System 2019-08-09 01:36:08 UTC
kernel-5.2.7-100.fc29, kernel-headers-5.2.7-100.fc29, kernel-tools-5.2.7-100.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bda4c81f4

Comment 11 Fedora Update System 2019-08-11 01:13:47 UTC
kernel-5.2.7-200.fc30, kernel-headers-5.2.7-200.fc30, kernel-tools-5.2.7-200.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-08-11 01:42:19 UTC
kernel-5.2.7-100.fc29, kernel-headers-5.2.7-100.fc29, kernel-tools-5.2.7-100.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.