Bug 1998903 - nft list ruleset output incorrect, resulting in a save and restore generating different rules
Summary: nft list ruleset output incorrect, resulting in a save and restore generating...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nftables
Version: 34
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-29 21:46 UTC by Quentin Armitage
Modified: 2021-09-01 20:31 UTC (History)
3 users (show)

Fixed In Version: nftables-0.9.8-3.fc34
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-01 20:31:36 UTC
Type: Bug


Attachments (Terms of Use)

Description Quentin Armitage 2021-08-29 21:46:29 UTC
Description of problem:
icmp/icmpv6 rule elements can be omitted when listing ruleset

Version-Release number of selected component (if applicable):
nftables-0.9.8-2.fc34.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Execute the following nft commands:
nft add table ip6 test
nft add chain ip6 test testc
nft add rule ip6 test testc icmpv6 type nd-router-solicit ip6 daddr fe80::/10 drop

2. List the ruleset:
nft list ruleset


Actual results:
table ip6 test {
	chain testc {
		ip6 daddr fe80::/10 drop
	}
}


Expected results:
table ip6 test {
	chain testc {
		icmpv6 type nd-router-solicit ip6 daddr fe80::/10 drop
	}
}


Additional info:
Executing the following:
nft list ruleset >/tmp/ruleset.nft
nft flush ruleset
nft -f /tmp/ruleset.nft

results in the rule not including "icmpv6 type nd-router-solicit". This means that rulesets cannot be saved and restored (to see that the ruleset has not been restored correctly you need a working nft).

This issue is resolved in v0.9.9. nft commit 5335652 resolved the problem, and this can be applied directly to v0.9.8.

Comment 1 Fedora Update System 2021-08-31 16:11:59 UTC
FEDORA-2021-00d476386f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-00d476386f

Comment 2 Fedora Update System 2021-08-31 22:53:28 UTC
FEDORA-2021-00d476386f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-00d476386f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-00d476386f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2021-09-01 20:31:36 UTC
FEDORA-2021-00d476386f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.