RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1778883 - nft parses dash in rules as an option
Summary: nft parses dash in rules as an option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nftables
Version: 8.2
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: 8.2
Assignee: Phil Sutter
QA Contact: Jiri Peska
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-02 17:55 UTC by Tomas Dolezal
Modified: 2023-06-12 10:16 UTC (History)
5 users (show)

Fixed In Version: nftables-0.9.3-6.el8
Doc Type: Bug Fix
Doc Text:
.The `nft` utility no longer interprets arguments as command-line options after the first non-option argument Previously, the `nft` utility accepted options anywhere in an `nft` command. For example, admins could use options between or after non-option arguments. As a consequence, due to the leading dash, `nft` interpreted negative priority values as options, and the command failed. The `nft` utility's command-line parser has been updated to not interpret arguments that are starting with a dash after the first non-option argument has been read. As a result, admins no longer require workarounds to pass negative priority values to `nft`. Note that due to this change, you must now pass all command-options to `nft` before the first non-option argument. Before you update, verify your nftables scripts to match this new criteria to ensure that the script works as expected after you installed this update.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:42:15 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-31614 0 None None None 2023-06-12 10:16:58 UTC
Red Hat Product Errata RHEA-2020:1774 0 None None None 2020-04-28 16:42:33 UTC

Description Tomas Dolezal 2019-12-02 17:55:03 UTC
Description of problem:
putting negative priority on a commandline leads to interpretation following number as an option and thus leads to rule rejection.

In examples bellow in (1) the priority is prepended by a space, similarly to (2) and (3). in (4) the lone-standing '-' is not interpreted as well.
The (0) fails and needs to be fixed.

Version-Release number of selected component (if applicable):
nftables-0.9.2-4.el8.x86_64
nftables-0.9.0-14.el8.x86_64
nftables-0.9.1-2.fc30.x86_64 #fedora

How reproducible:
always

Steps to Reproduce:
(0) nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
nft: invalid option -- '1'

these are accepted:
(1) nft add chain ip nat prerouting { type nat hook prerouting priority \ -100 \; }
(2) nft add chain ip nat prerouting '{ type nat hook prerouting priority -100 ; }'
(3) nft -f ruleset.nft
and even
(4) nft add chain ip nat prerouting { type nat hook prerouting priority - 100 \; }

Actual results:
nft: invalid option -- '1'

Expected results:
rule is accepted.

Additional info:

Comment 3 Phil Sutter 2019-12-04 13:16:49 UTC
Hi!

Solution is to escape the dash, just like the semi-colon (and any double quotes [or even curly braces if using zsh]). For me, there are so many things to escape for, quoting the whole nft command in ticks slowly makes it into my muscle memory. Not saying it's a good solution, but fixing for these things (Pablo even tried once) is a rather futile attempt given the unfixable cases (like semi-colon).

Speaking of documentation, an introductory paragraph about the need to escape/quote things is in order and consistent quoting/escaping in examples. I guess that should clarify any open questions.

Cheers, Phil

Comment 4 Tomas Dolezal 2019-12-04 15:05:56 UTC
(In reply to Phil Sutter from comment #3)
> Hi!
> 
> Solution is to escape the dash, just like the semi-colon (and any double
> quotes [or even curly braces if using zsh]). For me, there are so many
> things to escape for, quoting the whole nft command in ticks slowly makes it
> into my muscle memory. Not saying it's a good solution, but fixing for these
> things (Pablo even tried once) is a rather futile attempt given the
> unfixable cases (like semi-colon).
> 
> Speaking of documentation, an introductory paragraph about the need to
> escape/quote things is in order and consistent quoting/escaping in examples.
> I guess that should clarify any open questions.
> 
> Cheers, Phil

Hello Phil,
escaping the dash does not help because the issue is inside nft. As stated above, the dash wont work unless something else (like a whitespace, ref comment 0 example (1)) precedes it in the argument. In other words, standalone argument of '-100' considered an option instead of a priority number in this case.
i tested this in bash and zsh

bash:
# nft add table nat
# nft add chain nat prerouting { type nat hook prerouting priority \-100 \; }
nft: invalid option -- '1'

zsh:
# nft add chain nat prerouting \{ type nat hook prerouting priority -100 \; \}
nft: invalid option -- '1'
# nft add chain nat prerouting \{ type nat hook prerouting priority \-100 \; \}
nft: invalid option -- '1'

putting whole {} into '' of course works around the issue.

Comment 5 Phil Sutter 2019-12-04 16:21:54 UTC
Hi,

(In reply to Tomas Dolezal from comment #4)
> escaping the dash does not help because the issue is inside nft. As stated
> above, the dash wont work unless something else (like a whitespace, ref
> comment 0 example (1)) precedes it in the argument. In other words,
> standalone argument of '-100' considered an option instead of a priority
> number in this case.
> i tested this in bash and zsh

Oh, you're right, sorry. So in order to "properly" escape it you have to put double dash somewhere in front of it, like so:

| nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }

Cheers, Phil

Comment 6 Tomas Dolezal 2019-12-10 15:40:26 UTC
After discussion with Phil we agreed to update documentation of the package to say explicitly that workaround from comment 5 is needed to pass in negative priority on command line unless the priority part is quoted with at least adjacent preceding part.

Comment 9 Phil Sutter 2020-01-10 14:00:33 UTC
Upstream changed its mind, options are no longer allowed after the first non-option. This should fix for negative priority values. Commits to backport are:

commit fb9cea50e8b370b6931e7b53b1a881d3b95b1c91
Author: Pablo Neira Ayuso <pablo>
Date:   Fri Dec 13 11:32:46 2019 +0100

    main: enforce options before commands
    
    This patch turns on POSIXLY_CORRECT on the getopt parser to enforce
    options before commands. Users get a hint in such a case:
    
     # nft list ruleset -a
     Error: syntax error, options must be specified before commands
     nft list ruleset -a
        ^             ~~
    
    This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with
    negative chain priority").
    
    Tests have been updated.
    
    Signed-off-by: Pablo Neira Ayuso <pablo>

commit ea5af85371bd18658ea2ffa0a6c9c48e2c64684b
Author: Pablo Neira Ayuso <pablo>
Date:   Thu Jan 9 18:16:18 2020 +0100

    main: restore --debug
    
    Broken since options are mandatory before commands.
    
    Fixes: fb9cea50e8b3 ("main: enforce options before commands")
    Signed-off-by: Pablo Neira Ayuso <pablo>

Comment 15 Phil Sutter 2020-02-05 17:21:17 UTC
Doc Text is fine with me.

Comment 18 errata-xmlrpc 2020-04-28 16:42:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1774


Note You need to log in before you can comment on or make changes to this bug.