Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2109933

Summary:	Manpage change: man nft of RHEL 7 contains "nft fib expression" while the kernel support for same is added in RHEL 8.0
Product:	Red Hat Enterprise Linux 7	Reporter:	Sangam <sababu>
Component:	nftables	Assignee:	Phil Sutter <psutter>
Status:	CLOSED WONTFIX	QA Contact:	qe-baseos-daemons
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.9	CC:	egarver, psutter, todoleza
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-01-24 12:37:23 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sangam 2022-07-22 13:45:43 UTC

Description of problem:
Man page of nft contains "nft fib expression" while the kernel support for same is added in RHEL 8.0

Version-Release number of selected component (if applicable):
nftables version : nftables-0.8-14.el7.x86_64

Kernel : 3.10.0-1160.53.1.el7.x86_64


Actual results:
Man page contains examples for "fib expression" which is for userspace nftables, however kernel does not support it.


Expected results:
Man page should explicitly mention "support for nftables fib expression is added to kernel from 4.10 version onwards".


Additional info:
We have a customer case requesting to backport the feature to RHEL 7.9 or to make changes to man page.

Its confusing to customers since man page shows examples of "fib expression" however the kernel does not support it.

contents from "man nft"

~~~
      Boolean specification
 
       The following expressions support a boolean comparison:
 
       ┌───────────┬──────────────────────────────────────┐
       │Expression │ Behaviour                            │
       ├───────────┼──────────────────────────────────────┤
       │fib        │ Check route existence.               │
       ├───────────┼──────────────────────────────────────┤
       │exthdr     │ Check IPv6  extension  header  exis‐ │
       │           │ tence.                               │
       ├───────────┼──────────────────────────────────────┤
       │tcp option │ Check TCP option header existence.   │
       └───────────┴──────────────────────────────────────┘
       # match if route exists
       filter input fib daddr . iif oif exists
 
       # match only non-fragmented packets in IPv6 traffic
       filter input exthdr frag missing
 
       # match if TCP timestamp option is present
       filter input tcp option timestamp exists
//
//
//
 
   FIB EXPRESSIONS
       fib {saddr | daddr | [mark | iif | oif]} {oif | oifname | type}
 
       A fib expression queries the fib (forwarding information base) to obtain information such as the  out‐
       put  interface  index a particular address would use. The input is a tuple of elements that is used as
       input to the fib lookup functions.
 
       fib expression specific types
 
       ┌────────┬────────────────────────┬──────────────────┐
       │Keyword │ Description            │ Type             │
       ├────────┼────────────────────────┼──────────────────┤
       │oif     │ Output interface index │ integer (32 bit) │
       ├────────┼────────────────────────┼──────────────────┤
       │oifname │ Output interface name  │ string           │
       ├────────┼────────────────────────┼──────────────────┤
       │type    │ Address type           │ fib_addrtype     │
       └────────┴────────────────────────┴──────────────────┘
       Using fib expressions
 
       # drop packets without a reverse path
       filter prerouting fib saddr . iif oif missing drop
 
       # drop packets to address not configured on ininterface
       filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop
 
       # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
       filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }
~~~

Error in RHEL 7 :

~~~
# RHEL7 - Fresh install of RHEL7.9 minimal + nftables installed.
[root@test7 ~]# nft flush ruleset
[root@test7 ~]# nft list ruleset
[root@test7 ~]# nft add table ip raw
[root@test7 ~]# nft add chain ip raw prerouting "{ type filter hook prerouting priority -300; }"
[root@test7 ~]# nft list ruleset
table ip raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
        }
}
[root@test7 ~]# nft add rule raw prerouting fib saddr . iif oif missing counter drop
Error: Could not process rule: No such file or directory
add rule raw prerouting fib saddr . iif oif missing counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@test7 ~]# nft list ruleset
table ip raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
        }
}
~~~

RHEL 8 works as expected :

~~~
[root@rhel8 ~]# nft list ruleset
[root@rhel8 ~]# nft add table ip raw
[root@rhel8 ~]# nft add chain ip raw prerouting "{ type filter hook prerouting priority -300; }"
[root@rhel8 ~]# nft list ruleset
table ip raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
}
[root@rhel8 ~]# nft add rule raw prerouting fib saddr . iif oif missing counter drop
[root@rhel8 ~]# nft list ruleset
table ip raw {
	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		fib saddr . iif oif missing counter packets 0 bytes 0 drop
	}
}
~~~

I belive with below commit the support was added to kernel from RHEL 8.0

~~~
commit 7278e396d053e92270d8120d1e4588b92715206c
Author: Florian Westphal <fwestpha>
Date:   Thu Apr 12 15:04:51 2018 -0400

    [redhat] configs: netfilter: enable nftables fib expression
    
    Message-id: <1523545494-22232-10-git-send-email-fwestpha>
    Patchwork-id: 7622
    O-Subject: [kernel team] [RHEL8 09/12] configs: netfilter: enable nftables fib expression
    Bugzilla: 1566139
    RH-Acked-by: Jiri Benc <jbenc>
    RH-Acked-by: Marcelo Ricardo Leitner <mleitner>
    
    BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1566139
    
    This is glue to perform lookups in the ipv4/ipv6 fib table and
    useful/needed to build reverse path filters, i.e. dropping a
    packet if there is no route torwards the source address.
    
    The inet and netdev versions dispatch to the ipv4 or ipv6
    expression depending on the packet type.
    
    Signed-off-by: Florian Westphal <fwestpha>
    Signed-off-by: Herton R. Krzesinski <herton>

Looks like its from RHEL 8.0 :

$ git describe --contains 7278e396d0
kernel-4.17.0-3.el8~151

$ git tag --contains 7278e396d0 | head -7
RHEL-8.0.0
RHEL-8.1.0
RHEL-8.2.0
RHEL-8.3.0
RHEL-8.4.0
RHEL-8.5.0
RHEL-8.6.0
~~~

upstream commit from 2016 :

~~~
+++
$ git tag --contains f6d0cbcf09c506b9b022df8f9d7693a7cec3c732
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11

commit f6d0cbcf09c506b9b022df8f9d7693a7cec3c732
Author: Florian Westphal <fw>
Date:   Mon Oct 24 16:56:40 2016 +0200

    netfilter: nf_tables: add fib expression
~~~

Comment 5 Phil Sutter 2022-08-09 15:14:41 UTC

We didn't adjust nft.8 to RHEL-realities at all yet so there are certainly
other unsupported features in there, too.

Merely dropping this single feature seems like an excuse "to have done
something about the problem" to me.

On the other hand this is about RHEL7 which we don't want to touch if not
absolutely necessary. And if we do, RHEL9 and 8 need (at least) the same
changes first to avoid a regression.

Comment 9 Phil Sutter 2023-01-24 12:37:23 UTC

Closing as per comment 5. Adjusting man page content to kernel features is planned for RHEL9 and 8. The effort required is too large to feasibly sell as "bug fix" for RHEL7.