RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2060459 - cki test fail: DNAT unknown option "--to-destination"
Summary: cki test fail: DNAT unknown option "--to-destination"
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-05-31
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iptables
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.7
Assignee: Phil Sutter
QA Contact: Jiri Peska
URL:
Whiteboard:
Depends On: 2036873 2060408 2103988
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-03 14:53 UTC by Phil Sutter
Modified: 2022-11-08 12:54 UTC (History)
7 users (show)

Fixed In Version: iptables-1.8.4-23.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2060408
Environment:
Last Closed: 2022-11-08 10:56:09 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-114383 0 None None None 2022-03-03 14:56:50 UTC
Red Hat Product Errata RHBA-2022:7796 0 None None None 2022-11-08 10:56:20 UTC

Comment 1 Phil Sutter 2022-04-28 14:32:29 UTC 
https://src.osci.redhat.com/rpms/iptables/pull-request/19
Comment 4 Phil Sutter 2022-05-04 10:39:14 UTC 
Found a fix for the problem described in comment 2, submitted upstream:

https://lore.kernel.org/netfilter-devel/20220504103416.19712-5-phil@nwl.cc/

Feel free to turn this into QA fail to request the extra backport.
Comment 6 Phil Sutter 2022-05-11 12:41:07 UTC 
Additional commit to backport:

commit 8468fd4f7c85c21ab375402bc80d0188412b6cbf
Author: Phil Sutter <phil>
Date:   Wed May 4 11:19:16 2022 +0200

    nft: Fix EPERM handling for extensions without rev 0
    
    Treating revision 0 as compatible in EPERM case works fine as long as
    there is a revision 0 of that extension defined in DSO. Fix the code for
    others: Extend the EPERM handling to all revisions and keep the existing
    warning for revision 0.
    
    Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
    Signed-off-by: Phil Sutter <phil>
Comment 8 Phil Sutter 2022-05-19 08:04:42 UTC 
iptables/tests/shell/testcases/iptables/0008-unprivileged_0 should cover this.
Comment 14 Phil Sutter 2022-07-03 12:52:01 UTC 
Backported following upstream commit to cover for TEE extension:

commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37
Author: Phil Sutter <phil>
Date:   Thu Jun 30 18:04:39 2022 +0200

    libxtables: Fix unsupported extension warning corner case
    
    Some extensions are not supported in revision 0 by user space anymore,
    for those the warning in xtables_compatible_revision() does not print as
    no revision 0 is tried.
    
    To fix this, one has to track if none of the user space supported
    revisions were accepted by the kernel. Therefore add respective logic to
    xtables_find_{target,match}().
    
    Note that this does not lead to duplicated warnings for unsupported
    extensions that have a revision 0 because xtables_compatible_revision()
    returns true for them to allow for extension's help output.
    
    For the record, these ip6tables extensions are affected: set/SET,
    socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
    for both families.
    
    Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
    Signed-off-by: Phil Sutter <phil>
Comment 25 errata-xmlrpc 2022-11-08 10:56:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iptables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7796
Note You need to log in before you can comment on or make changes to this bug.