
OPERATIONAL DEFECT DATABASE
...

...
+++ This bug was initially created as a clone of Bug #2176859 +++ When printing a ruleset containing compat expressions for which libxtables didn't provide a translation, nft used to print info about the expression after a comment ('#') marker: # iptables -A FORWARD -p tcp -m osf --genre linux # nft list ruleset table ip filter { chain FORWARD { type filter hook forward priority filter; policy accept; meta l4proto tcp # OS fingerprint match linux counter packets 0 bytes 0 } } This is problematic if the output is used unattendedly for a later ruleset restore. As seen in the example above, not just the osf match itself is lost but the following counter statement as well. To avoid subtle ruleset breakages like this, upstream changed the way these expressions are printed: table ip filter { chain FORWARD { type filter hook forward priority filter; policy accept; meta l4proto tcp xt match osf counter packets 0 bytes 0 } } This seems worse, but the parser will recognize "match" and "target" keywords and print a message pointing out the details: # nft list ruleset | nft -f - # Warning: table ip filter is managed by iptables-nft, do not touch! /dev/stdin:4:20-33: Error: unsupported xtables compat expression, use iptables-nft with this ruleset meta l4proto tcp xt match "osf" counter packets 0 bytes 0 ^^^^^^^^^^^^^^ The example also shows the non-intrusive warning emitted which makes sense on its own because perfectly translated rulesets may be unparsable even by the version of iptables-nft which created them due to missing reverse translation capability for most translations. The list of proposed backports is: c327e9331e50d Warn for tables with compat expressions in rules 5c30feeee5cfe xt: Delay libxtables access until translation e432477f5c013 xt: Purify enum nft_xt_type 79195a8cc9e9d xt: Rewrite unsupported compat expression dumping e41c53ca5b043 xt: Fall back to generic printing from translation aef5330fe7827 xt: Fix fallback printing for extensions matching keywords Due to the high impact I propose to backport these commits until RHEL8.6.z.
Done-Errata
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.