Bug 2219873 - RFE: Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9
Summary: RFE: Sets with quota elements are possible from the packet path in RHEL9 but ...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: nftables
Version: 9.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-05 16:05 UTC by Chris Barton
Modified: 2023-07-06 11:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161581 0 None None None 2023-07-05 16:06:00 UTC

Description Chris Barton 2023-07-05 16:05:15 UTC
Description of problem: 
Sets with quota elements are possible from the packet path in RHEL9 but impossible from the older nft that ships with RHEL9

Version-Release number of selected component (if applicable):
nftables-1.0.4-10.el9_1.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Use nft -f to load the following
ROOT rhel9 ~% cat /etc/sysconfig/nftables
table ip filter {
        set outbound_quota {
                type ipv4_addr
                size 65535
                flags dynamic
                elements = { 10.0.0.44 quota over 200 mbytes }
        }
}

Actual results:
ROOT rhel9 ~% nft -f /etc/sysconfig/nftables
/etc/sysconfig/nftables:6:40-44: Error: syntax error, unexpected quota, expecting comma or '}'
                elements = { 10.0.0.44 quota over 200 mbytes }
                                       ^^^^^
Expected results:
The element should load with nft $?=0

Additional info:
Loading the same element is possible in RHEL9 via the packet path
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                add @outbound_quota { ip saddr quota over 200 mbytes } drop
        }

When I build and install nftables-1.0.7-1.fc39.src.rpm from Fedora rawhide, the problem goes away and the element with a quota loads successfully via nft -f.

Comment 1 Phil Sutter 2023-07-06 11:54:00 UTC
Probably resolved by backporting the simple commit 9cb501168a623 ("parser_bison: allow to use quota in sets"). I don't see a respective patch for JSON parser though, maybe upstream lacks this feature entirely.


Note You need to log in before you can comment on or make changes to this bug.