rhel8: running sosreport creates iptables built-in tables in nftables

Solution Unverified - Updated -

Issue

When generating sosreport, these commands are executed in networking plugin:

2021-09-06 11:43:15,893 INFO: [plugin:networking] collecting output of 'ip6tables -t nat -nvL'
2021-09-06 11:43:15,908 INFO: [plugin:networking] collecting output of 'ip6tables -t mangle -nvL'
2021-09-06 11:43:15,923 INFO: [plugin:networking] collecting output of 'ip6tables -t filter -nvL'
2021-09-06 11:43:16,225 INFO: [plugin:networking] collecting output of 'iptables -vnxL'
2021-09-06 11:43:16,242 INFO: [plugin:networking] collecting output of 'ip6tables -vnxL'

The problem is that these calls create iptables compatibility built-in tables in nft, which may not be desired.. For example:

# nft list ruleset | grep table
table ip v4 {
table ip6 v6 {
table ip6 nat {
# ip6tables -t mangle -nvL > /dev/null
# nft list ruleset | grep table
table ip v4 {
table ip6 v6 {
table ip6 nat {
table ip6 mangle { // << NOTE

// the compat tables are added by iptables code:
int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
          int rulenum, unsigned int format)
{
    const struct nft_family_ops *ops = h->ops;
    struct nftnl_chain_list *list;
    struct nftnl_chain_list_iter *iter;
    struct nftnl_chain *c;
    bool found = false;

    nft_xt_builtin_init(h, table);
    nft_assert_table_compatible(h, table, chain);
...

static int nft_xt_builtin_init(struct nft_handle *h, const char *table)
{
    const struct builtin_table *t;
    t = nft_table_builtin_find(h, table);
    if (t == NULL)
        return -1;
    if (nft_table_initialized(h, t->type))
        return 0;
    if (nft_table_builtin_add(h, t) < 0)
        return -1;
    nft_chain_builtin_init(h, t);
    h->cache->table[t->type].initialized = true;
    return 0;
}

So no way to bypass that - iptables/ip6tables must not be called to avoid creation of compat tables.

Customer monitors nftables and doesn't want the compat tables. They get security alert on every sosreport run. Plus compat tables may have (little) performance impact (as they connect some chain to hooks and have some counters too).

Environment

  • Red Hat Enterprise Linux 8
  • sosreport
  • nft tables
  • networking

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In