RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2211076 - Rebase package to nftables-1.0.4-10.el9
Summary: Rebase package to nftables-1.0.4-10.el9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nftables
Version: 8.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.9
Assignee: Phil Sutter
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 2211096
Blocks: 2061942 2073243 2127774 2130600 2136814 2154439
TreeView+ depends on / blocked
 
Reported: 2023-05-30 12:50 UTC by Phil Sutter
Modified: 2023-11-14 18:15 UTC (History)
2 users (show)

Fixed In Version: nftables-1.0.4-2.el8
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 1.0.4 Highlights, important fixes, or notable enhancements: - Misc Documentation fixes and enhancements - Support for 'typeof' keyword in set and map declarations to simplify element type specification - Fix for VLAN IDs in map targets, missing rounding truncated them - Add "sdif" and "sdifname" meta expression keywords - Fix for accidental byteorder conversion of host byteorder values in binop expressions - Improved error message when adding an interval element to a set without respective flag - Improved error messaging making use of kernel-provided offsets - Misc memleaks and use-after-free bugs fixed - Support for concatenated map targets, especially useful for NAT maps to contain both IP address and port - Support for 'offload' chain flag to request hardware offloading (if driver supports it) - Fix and extend 'nft --help' output - Fix for ineffective port argument with masquerade statement - Support for 'counter' in set definition, adding a counter to every element - Support for flowtable counter - In 'nft monitor', print also rules added after program start - Support for intervals and prefixes of IP addresses in NAT map targets - Add 'ct' expression 'id' key - Support sending "frag-needed" replies from reject statement - Support adding devices to an existing flowtable - Support deleting devices from an existing flowtable - Support creating a flowtable without devices - Support for anonymous chains, to be defined from jump/goto statements - Extended support for using variables in various spots - Support 'get element' command with maps - Fix for broken JSON output with 'reset' command - Fix for cache becoming out of sync in interactive mode - Comment support in set, map, table, object and chain declarations - Add a hashtable for cached chains, speeds up ruleset listing with many non-base chains - Support socket statement "wildcard" key - Track multiple transport protocols in context, e.g. to dnat both TCP and UDP packets via 'meta l4proto { tcp, udp } dnat to 1.2.3.4:8080' - Respect '--terse' flag with '--json' - Fix for missing set element counters in JSON output - Support for ingress hook chains in inet family - Fix for missing set element properties (e.g. comment or expiry) in last element of an interval set - Support for 'reject' statement in netdev family - Fix for missing NAT-related flags in JSON output - Support for combining '--echo' and '--json' with native syntax input
Clone Of:
Environment:
Last Closed: 2023-11-14 15:51:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-158543 0 None None None 2023-05-30 12:52:06 UTC
Red Hat Product Errata RHBA-2023:7185 0 None None None 2023-11-14 15:52:03 UTC

Description Phil Sutter 2023-05-30 12:50:12 UTC 
Current nftables-0.9.3-26.el8 is pretty far behind RHEL9 despite 83 distinct
backports applied on top. Use the chance to push RHEL8 to a newer base,
reducing maintenance burden in the future. To reduce involved risk, take what's
currently in RHEL9.

This will require a rebase of libnftnl package as well.
Comment 1 Phil Sutter 2023-05-30 20:04:35 UTC 
Proposed changes here: https://gitlab.com/redhat/centos-stream/rpms/nftables/-/merge_requests/22
Comment 10 errata-xmlrpc 2023-11-14 15:51:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nftables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7185
Note You need to log in before you can comment on or make changes to this bug.