FS#77357 - [iptables-nft] v1.8.9-1 Error: meta sreg key not supported

Attached to Project: Arch Linux
Opened by Philipp Richter (popsUlfr) - Thursday, 02 February 2023, 10:35 GMT
Last edited by Toolybird (Toolybird) - Thursday, 13 April 2023, 08:04 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
iptables spits out an error after upgrading to iptables-nft v1.8.9-1

# iptables -nvL
Error: meta sreg key not supported
iptables v1.8.9 (nf_tables): Parsing nftables rule failed
Perhaps iptables or your kernel needs to be upgraded.

Downgrading to 1:1.8.8-3 fixes the issue.

I noticed this when my libvirtd default network refused to start

libvirtd[15463]: internal error: Failed to apply firewall rules /usr/bin/ip6tables -w --table filter --list-rules: Error: meta sreg key not supported
ip6tables v1.8.9 (nf_tables): Parsing nftables rule failed
Perhaps ip6tables or your kernel needs to be upgraded.


Additional info:
* iptables-nft 1:1.8.9-1

Steps to reproduce:
* Install iptables-nft 1:1.8.9-1
* Run 'iptables -nvL'
This task depends upon

Closed by  Toolybird (Toolybird)
Thursday, 13 April 2023, 08:04 GMT
Reason for closing:  Upstream
Comment by Philipp Richter (popsUlfr) - Thursday, 02 February 2023, 10:55 GMT
It has something to do with "meta mark' rules, I've parts like these in my nftables config that throw an error now with 1.8.9 of iptables-nft (no issues reported with 'nft list ruleset'):

table ip filter {
chain DOCKER-USER {
meta mark set 0x000003b3 comment "docker"
}

chain CNI-ADMIN {
meta mark set 0x000003b4 comment "CNI"
}
}
table ip6 filter {
chain DOCKER-USER {
meta mark set 0x000003b3 comment "docker"
}

chain CNI-ADMIN {
meta mark set 0x000003b4 comment "CNI"
}
}
Comment by Toolybird (Toolybird) - Friday, 03 February 2023, 23:36 GMT
This would appear to be an upstream issue. Could you please report it there? A quick peruse located this [1] which seems related.

[1] https://bugzilla.netfilter.org/show_bug.cgi?id=1632
Comment by Philipp Richter (popsUlfr) - Monday, 06 March 2023, 21:08 GMT
Hello, I'm very sorry I completely forgot to update this bug with the upstream bugzilla link since it took a bit to get the account. Here it is: https://bugzilla.netfilter.org/show_bug.cgi?id=1659

Best Regards,
Philipp Richter
Comment by Toolybird (Toolybird) - Thursday, 13 April 2023, 08:04 GMT
Not an Arch packaging issue. Hopefully upstream will address it soon.

Loading...