Bug#1060342: marked as done (Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug"))

Thu, 11 Jan 2024 12:54:27 -0800 

Your message dated Thu, 11 Jan 2024 20:50:44 +0000
with message-id <[email protected]>
and subject line Bug#1060342: fixed in iptables 1.8.10-2
has caused the Debian Bug report #1060342,
regarding Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush 
restore bug")
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1060342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: iptables
Version: 1.8.10-1
Severity: normal
Tags: patch


Hi,

firewalld fails to work with the current version of iptables in Debian.
This is exemplified by the autopkgtest which recently has been made
available in Debian (thanks elbrus):
https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/

After contacting firewalld upstream in
https://github.com/firewalld/firewalld/issues/1268

it turns out this issue has already been fixed in 
etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
noflush restore bug").

Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.

If you are busy, I can offer to NMU.

Regards,
Michael


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.37-13
ii  libip4tc2                1.8.10-1
ii  libip6tc2                1.8.10-1
ii  libmnl0                  1.0.5-2
ii  libnetfilter-conntrack3  1.0.9-6
ii  libnfnetlink0            1.0.2-2
ii  libnftnl11               1.2.6-2
ii  libxtables12             1.8.10-1
ii  netbase                  6.4

Versions of packages iptables recommends:
ii  nftables  1.0.9-1+b2

Versions of packages iptables suggests:
ii  firewalld  2.1.0-1
ii  kmod       31-1

-- no debconf information

commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter <[email protected]>
Date:   Tue Nov 7 19:12:14 2023 +0100

    ebtables: Fix corner-case noflush restore bug
    
    Report came from firwalld, but this is actually rather hard to trigger.
    Since a regular chain line prevents it, typical dump/restore use-cases
    are unaffected.
    
    Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
    Cc: Eric Garver <[email protected]>
    Signed-off-by: Phil Sutter <[email protected]>

diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 
b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index 00000000..0def0ac5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching 
bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+       ;;
+*)
+       echo "skip $XT_MULTI"
+       exit 0
+       ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79d..a8ad57c7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
                return NF_BR_LOCAL_OUT;
        else if (strcmp(chain, "POSTROUTING") == 0)
                return NF_BR_POST_ROUTING;
+       else if (strcmp(chain, "BROUTING") == 0)
+               return NF_BR_BROUTING;
 
        /* placeholder for user defined chain */
        return NF_BR_NUMHOOKS;

--- End Message ---
--- Begin Message --- 
Source: iptables
Source-Version: 1.8.10-2
Done: Jeremy Sowden <[email protected]>

We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Sowden <[email protected]> (supplier of updated iptables package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Jan 2024 13:08:21 +0000
Source: iptables
Architecture: source
Version: 1.8.10-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Netfilter Packaging Team 
<[email protected]>
Changed-By: Jeremy Sowden <[email protected]>
Closes: 1060342
Changes:
 iptables (1.8.10-2) unstable; urgency=medium
 .
   * [06f4121] d/control: use tracker.d.o address for `Maintainer:`
   * [f92d307] d/patches: add upstream patch to fix firewalld test-suite
     (Closes: #1060342)
Checksums-Sha1:
 5f3c7eaf89d86e2b79f39fe0fb3c8ff3316497b3 2638 iptables_1.8.10-2.dsc
 8aaee65fa6a837d9463ff8ee687e39e8d3e28d43 27300 iptables_1.8.10-2.debian.tar.xz
 9dffeebe2cb2feab125786bc17154126de65c31d 9924 iptables_1.8.10-2_amd64.buildinfo
Checksums-Sha256:
 0980a1f089c790111717b7c0e0e25c47474128c63526bf1794b3b6dfb398bcf5 2638 
iptables_1.8.10-2.dsc
 b052efb40fd83d761f33a8865a36359ba77f8933cfd6c8bb7359d8bc3c7bd9bf 27300 
iptables_1.8.10-2.debian.tar.xz
 d189a4034b1820f4bb71464ffae4826928256f0fcc284642a267023bbeefd991 9924 
iptables_1.8.10-2_amd64.buildinfo
Files:
 51111bc1a0cb66b598c40cf582f14e87 2638 net optional iptables_1.8.10-2.dsc
 c5202e8d70053c3922aae4996a4cfacd 27300 net optional 
iptables_1.8.10-2.debian.tar.xz
 3977d6112a805e0d35741bc96ecb4fd2 9924 net optional 
iptables_1.8.10-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEbB20U2PvQDe9VtUXKYasCr3xBA0FAmWgS0ESHGplcmVteUBh
emF6ZWwubmV0AAoJECmGrAq98QQNr1kQAI5cXo45wuLaCxN0IFTQzZvXTmKXvy7f
jElfvAaoFMKJRknRAKsj1/E2XSdajn5DPOtdk3Wf0FyEMtAh0me94YpQ00gebOJo
BRJUDxMFi0w5e8hFthTg9KU01oRgB0jG1CsRzg7XRnDW1AwQuASRswnhAcFs+rjC
lBncRxW660lZA8bfUm+tzPKlVFsMGFvTcWS7LnYQg+Qbo2b7o1vfgnre51lcusM6
70HOfmEcUaqcK1B09PT+NkoLN8mRFjTBxw7lKI5AiKlqhrSOxlaHGuMUOWLQohFn
Od4JBMAZ6iDEv3o1R1IU1/QSBF4cvxpTApqJTr/aQ0cAwE15rKSKWC6bo82jDk3F
Dy1SnkShtX+RwPZqujKy9Dh5ZYRf0aUj4XDKiaQwAXrbnJffgOxnQRxcBbATYxG0
PrMbb5IiPrIWjI23WcoZ4C1+qYjtY7N3eJVsorf0oLFcpYfm/xJtroa7ykeZm6Mu
bZgvVjYL7z7zJSU+qQgwwECL2bEt/Q9w7tiH/hlZMXSPLy9so/vcPTleD3iBT5Xx
xZnIRMIJVefkGYG1Q10DohZwaiNs7SSOVENTHcJDO5B62f6lVO6+2zjLLdyZL2ti
ZDcDC27S69H63eGoVzrY0voByFjrmqwiV43hYUShvsW82nR3VX0Hj9Wk3sq7TZzi
7gkWhhOOwjN/
=UhL8
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to