RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1984093 - ebtables doesn't recognize --atomic-* arguments
Summary: ebtables doesn't recognize --atomic-* arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iptables
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: ---
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 2011406
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-20 16:27 UTC by Denis Silakov
Modified: 2022-05-10 16:28 UTC (History)
2 users (show)

Fixed In Version: iptables-1.8.4-21.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2011406 (view as bug list)
Environment:
Last Closed: 2022-05-10 15:17:19 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2002 0 None None None 2022-05-10 15:17:23 UTC

Description Denis Silakov 2021-07-20 16:27:04 UTC 
Description of problem:
# ebtables --atomic-file /tmp/mylist --atomic-save
ebtables v1.8.4 (nf_tables): Unknown argument: '--atomic-save'

Worked like a charm in 7.x with a separate ebtables-2.0.x package. With xtables-nft-multi, even atomic-related examples from 'man ebtables' don't work
Comment 1 Phil Sutter 2021-07-20 18:04:32 UTC 
Hi,

Yes, ebtables-nft does not support the atomic commands. Restoring a dump via
ebtables-restore is atomic per table due to transactional commit in kernel. So
technically, the atomic commands are not needed.

Do you have a use-case for them or are you merely trying to keep old scripts
running?

And yes, ebtables-nft.8 should not pretend things are working when they don't.

Cheers, Phil
Comment 2 Denis Silakov 2021-07-21 07:15:09 UTC 
Well, we just have legacy scritps that utilize atomic options.
Comment 3 Phil Sutter 2021-07-21 09:52:30 UTC 
(In reply to Denis Silakov from comment #2)
> Well, we just have legacy scritps that utilize atomic options.

OK. Is it an option for you to adjust those scripts to just use ebtables-save
and ebtables-restore? Unless I'm mistaken, the atomic-* options are just a
cryptic alternative to those given that atomicity is inherently guaranteed by
ebtables-nft.

I'm asking because the functionality is also not present upstream and assuming
the above is correct, upstream is likely to push back. We could try to
implement the atomic-* options as internal frontends to ebtables-save and
-restore, but that means atomic-files are not compatible to legacy ebtables. So
not a perfect alternative, either.

Just in case, are you working with legacy atomic-files or can we assume they
are always created by the same ebtables variant which is using them?
Comment 4 Denis Silakov 2021-07-21 09:54:08 UTC 
Thanks for the answer, we are curently invesitating how these options/commands are used at our side and if we can safely avoid them.
Comment 5 Phil Sutter 2021-07-21 11:29:26 UTC 
For your (and my) reference:

All commands operate per-table, i.e. '-t' parameter is respected (unlike with
ebtables-save).

--atomic-file defines the file to use - alternatively use EBTABLES_ATOMIC_FILE
environment variable.

--atomic-init stores the default set of base chains for the current table into
atomic-file.

--atomic-save stores the current table's set of chains and rules into
atomic-file (i.e. ebtables-save for a specific table).

--atomic-commit commits the content of atomic-file to kernel (i.e.
ebtables-restore).

Adding --atomic-file parameter to any command applies it to the atomic-file. A
simple (yet imperfect) way to mimick this is to just append the given command
line to the file (in ebtables-save format).
Comment 6 Denis Silakov 2021-07-26 10:49:05 UTC 
Well, we have finally managed to get rid of --atomic* usage.

So the only claim left here is that man pages still provides incorrect examples.
Comment 7 Phil Sutter 2021-07-26 11:33:59 UTC 
(In reply to Denis Silakov from comment #6)
> Well, we have finally managed to get rid of --atomic* usage.
> 
> So the only claim left here is that man pages still provides incorrect
> examples.

Great, thanks for the update.
Comment 8 Phil Sutter 2021-07-28 15:58:13 UTC 
Patch sent upstream: https://lore.kernel.org/netfilter-devel/20210728155643.31855-1-phil@nwl.cc/
Comment 9 Phil Sutter 2021-07-28 22:21:10 UTC 
Upstream commit to backport:

commit 765bf04ecc228783cb88c810c85bc0c769579c39 (HEAD -> upstream, origin-rw/master)
Author: Phil Sutter <phil>
Date:   Wed Jul 28 17:53:53 2021 +0200

    doc: ebtables-nft.8: Adjust for missing atomic-options
    
    Drop any reference to them (and the environment variable) but list them
    in BUGS section hinting at ebtables-save and -restore tools.
    
    Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
    Signed-off-by: Phil Sutter <phil>
    Acked-by: Pablo Neira Ayuso <pablo>
Comment 11 Štěpán Němec 2021-08-24 14:04:30 UTC 
I think this backport should also include the following commit which removes
--atomic-* from `ebtables --help` output as well:

commit 263186372dc4
Author: Phil Sutter <phil>
Date:   Fri Jul 30 12:25:10 2021 +0200

    ebtables: Dump atomic waste

    With ebtables-nft.8 now educating people about the missing
    functionality, get rid of atomic remains in source code. This eliminates
    mostly comments except for --atomic-commit which was treated as alias of
    --init-table. People not using the latter are probably trying to
    atomic-commit from an atomic-file which in turn is not supported, so no
    point keeping it.

    Signed-off-by: Phil Sutter <phil>
Comment 12 Phil Sutter 2021-08-31 11:26:47 UTC 
(In reply to Štěpán Němec from comment #11)
> I think this backport should also include the following commit which removes
> --atomic-* from `ebtables --help` output as well:

ACK, thanks for the heads-up!
Comment 13 Phil Sutter 2021-10-07 16:17:32 UTC 
https://src.osci.redhat.com/rpms/iptables/pull-request/17
Comment 20 errata-xmlrpc 2022-05-10 15:17:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iptables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2002
Note You need to log in before you can comment on or make changes to this bug.