The regression in question is described by - and rectified by - the following commit. https://git.netfilter.org/nftables/commit/?id=638af0ceb2b22307098bb2730822e148ef0b9424 This regression was introduced by 1.0.3 and was not fixed in time for the 1.0.4 release. It is easy enough to trigger that it could plausibly affect many deployed rulesets in the wild. I have had to apply this patch to three different systems so far for my rulesets to be loadable. I realise that the affected versions are not keyworded stable in Gentoo. Nevertheless, I would urge that this patch be incorporated. Further, it might be a good idea to drop the 1.0.3 releases outright as they are particularly buggy, even by the standards of nftables.
As an aside, this was the final straw for me as far as upstream QA is concerned, so I decided to do this: https://codeberg.org/kerframil/portage-overlay/commit/4706740d8229b2a0bf64392b3b2388e5fdc5d655
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c7d289358511150d712e08b2cbb175b1374d9f7 commit 8c7d289358511150d712e08b2cbb175b1374d9f7 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-06-17 16:16:41 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-06-17 16:16:41 +0000 net-firewall/nftables: backport upstream revert Closes: https://bugs.gentoo.org/852662 Signed-off-by: Mike Gilbert <floppym@gentoo.org> ....4-revert-scanner-flags-move-to-own-scope.patch | 252 +++++++++++++++++++++ ...ables-1.0.4.ebuild => nftables-1.0.4-r1.ebuild} | 3 + 2 files changed, 255 insertions(+)
(In reply to Larry the Git Cow from comment #2) > The bug has been closed via the following commit(s): Thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c73d672e4a3e228c1b6b287d4345d229597fa35 commit 1c73d672e4a3e228c1b6b287d4345d229597fa35 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-06-17 18:42:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-17 18:44:03 +0000 net-firewall/nftables: add emergency pkg_preinst sanity check The idea here is that we check just before merging whether the freshly built `nft` binary can safely (pretend) reload the system ruleset. A significant number of recent regressions have manifested in immediate segfaults when doing this, so it's worth doing the safety check (it's not as if it's niche or unlikely for a failure to occur at this point). Those who want a failed check to be *fatal* can set NFTABLES_ABORT_ON_RELOAD_FAILURE=1. Otherwise, it's just a warning. Bug: https://bugs.gentoo.org/852662 Thanks-to: Kerin Millar <kfm@plushkava.net> Signed-off-by: Sam James <sam@gentoo.org> net-firewall/nftables/nftables-1.0.4-r2.ebuild | 218 +++++++++++++++++++++++++ net-firewall/nftables/nftables-9999.ebuild | 16 +- 2 files changed, 233 insertions(+), 1 deletion(-)
