2219873 – RFE: Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9

Bug 2219873 - RFE: Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9

Summary: RFE: Sets with quota elements are possible from the packet path in RHEL9 but ...

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	nftables
Sub Component:
Version:	9.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Phil Sutter
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-05 16:05 UTC by Chris Barton
Modified:	2023-07-06 11:54 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-161581	0	None	None	None	2023-07-05 16:06:00 UTC

Description Chris Barton 2023-07-05 16:05:15 UTC

Description of problem: 
Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9

Version-Release number of selected component (if applicable):
nftables-1.0.4-10.el9_1.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Use nft -f to load the following
ROOT rhel9 ~% cat /etc/sysconfig/nftables
table ip filter {
        set outbound_quota {
                type ipv4_addr
                size 65535
                flags dynamic
                elements = { 10.0.0.44 quota over 200 mbytes }
        }
}

Actual results:
ROOT rhel9 ~% nft -f /etc/sysconfig/nftables
/etc/sysconfig/nftables:6:40-44: Error: syntax error, unexpected quota, expecting comma or '}'
                elements = { 10.0.0.44 quota over 200 mbytes }
                                       ^^^^^
Expected results:
The element should load with nft $?=0

Additional info:
Loading the same element is possible in RHEL9 via the packet path
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                add @outbound_quota { ip saddr quota over 200 mbytes } drop
        }

When I build and install nftables-1.0.7-1.fc39.src.rpm from Fedora rawhide, the problem goes away and the element with a quota loads successfully via nft -f.

Comment 1 Phil Sutter 2023-07-06 11:54:00 UTC

Probably resolved by backporting the simple commit 9cb501168a623 ("parser_bison: allow to use quota in sets"). I don't see a respective patch for JSON parser though, maybe upstream lacks this feature entirely.

Note You need to log in before you can comment on or make changes to this bug.