Bug 1945179 - iptables/arptables/ebtables/ipset: kernel: add deprecation notice on module load.
Summary: iptables/arptables/ebtables/ipset: kernel: add deprecation notice on module l...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: kernel
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 9.0
Assignee: Phil Sutter
QA Contact: yiche
URL:
Whiteboard:
: 1945181 1945185 1945193 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-31 13:11 UTC by Eric Garver
Modified: 2022-05-17 15:41 UTC (History)
7 users (show)

Fixed In Version: kernel-5.14.0-21.el9
Doc Type: No Doc Update
Doc Text:
Release Note: See BZ#1945151.
Clone Of:
Environment:
Last Closed: 2022-05-17 15:38:02 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/centos-stream/src/kernel centos-stream-9 merge_requests 59 0 None None None 2021-10-05 15:31:48 UTC
Red Hat Product Errata RHBA-2022:3907 0 None None None 2022-05-17 15:38:28 UTC

Internal Links: 2031701 2048194

Description Eric Garver 2021-03-31 13:11:20 UTC
This includes iptables-nft and iptables-legacy. For -legacy we can trigger when the iptables_<table> modules are loaded. For -nft, it may be a bit trickier because it'll have to be from the nftables code.

Don't forget ip6tables!!

Comment 1 Phil Sutter 2021-07-05 16:58:14 UTC
I'll submit a single patch doing it all at once.

The kernel messages are created upon module load. To trigger them all, call:

| arptables-legacy -vnL
| ebtables-legacy -L
| ipset create testset hash:ip
| iptables-legacy -vnL
| ip6tables-legacy -vnL
| iptables-nft -A FORWARD -m conntrack --conntrack-state NEW -j ACCEPT

Note the last one: We deprecate nft_compat.ko which is used only if
iptables-nft calls xtables extensions. Regular listing or use of e.g. IP
address matches and/or standard targets does not require it and therefore won't
trigger the warning.

Comment 2 Phil Sutter 2021-07-05 16:59:15 UTC
*** Bug 1945181 has been marked as a duplicate of this bug. ***

Comment 3 Phil Sutter 2021-07-05 16:59:24 UTC
*** Bug 1945185 has been marked as a duplicate of this bug. ***

Comment 4 Phil Sutter 2021-07-05 16:59:35 UTC
*** Bug 1945193 has been marked as a duplicate of this bug. ***

Comment 6 Phil Sutter 2021-07-09 15:01:42 UTC
Yiche, please consider this ticket for qa_ack+. Feel free to set ITM as you see fit. Thanks!

Comment 7 yiche 2021-07-12 09:32:48 UTC
Hi Phil,
Would you provide test advice about this change?

Comment 8 Phil Sutter 2021-07-12 12:22:14 UTC
(In reply to yiche from comment #7)
> Hi Phil,
> Would you provide test advice about this change?

Run each command from comment 1, make sure it causes a kernel log message upon
first invocation (and not second). No message should appear multiple times
unless a kernel module is unloaded.

Is this sufficient or do you need more data?

Thanks, Phil

Comment 9 yiche 2021-07-13 07:43:45 UTC
> make sure it causes a kernel log message upon
> first invocation (and not second). No message should appear multiple times
I think this is enough, thank you.

Comment 11 Phil Sutter 2021-07-23 15:18:04 UTC
Discussion ongoing, hence bumping ITM.

Comment 28 Phil Sutter 2021-10-01 16:30:40 UTC
Rebased the MR and changed its target from 9.0-beta to main.

Comment 30 Phil Sutter 2021-10-05 16:13:20 UTC
New MR, turns out I have to aim at centos-stream-9. Sorry for the inconvenience!

Yiche, could you please give the new MR's build another try?

Comment 35 Phil Sutter 2021-11-11 15:53:02 UTC
MR was missed for LNST testing, needs more time for CI.

Comment 47 Marc Muehlfeld 2022-02-17 14:09:14 UTC
The KCS article has been published: https://access.redhat.com/solutions/6739041

Comment 49 errata-xmlrpc 2022-05-17 15:38:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907


Note You need to log in before you can comment on or make changes to this bug.