This includes iptables-nft and iptables-legacy. For -legacy we can trigger when the iptables_<table> modules are loaded. For -nft, it may be a bit trickier because it'll have to be from the nftables code.
Don't forget ip6tables!!
I'll submit a single patch doing it all at once.
The kernel messages are created upon module load. To trigger them all, call:
| arptables-legacy -vnL
| ebtables-legacy -L
| ipset create testset hash:ip
| iptables-legacy -vnL
| ip6tables-legacy -vnL
| iptables-nft -A FORWARD -m conntrack --conntrack-state NEW -j ACCEPT
Note the last one: We deprecate nft_compat.ko which is used only if
iptables-nft calls xtables extensions. Regular listing or use of e.g. IP
address matches and/or standard targets does not require it and therefore won't
trigger the warning.
*** Bug 1945181 has been marked as a duplicate of this bug. ***
*** Bug 1945185 has been marked as a duplicate of this bug. ***
*** Bug 1945193 has been marked as a duplicate of this bug. ***
Yiche, please consider this ticket for qa_ack+. Feel free to set ITM as you see fit. Thanks!
Would you provide test advice about this change?
(In reply to yiche from comment #7)
> Hi Phil,
> Would you provide test advice about this change?
Run each command from comment 1, make sure it causes a kernel log message upon
first invocation (and not second). No message should appear multiple times
unless a kernel module is unloaded.
Is this sufficient or do you need more data?
> make sure it causes a kernel log message upon
> first invocation (and not second). No message should appear multiple times
I think this is enough, thank you.
Discussion ongoing, hence bumping ITM.
Rebased the MR and changed its target from 9.0-beta to main.
New MR, turns out I have to aim at centos-stream-9. Sorry for the inconvenience!
Yiche, could you please give the new MR's build another try?
MR was missed for LNST testing, needs more time for CI.
The KCS article has been published: https://access.redhat.com/solutions/6739041
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.