Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: iptables-netf...@packages.debian.org, a...@debian.org, a...@debian.org Control: affects -1 + src:iptables-netflow
Please unblock iptables-netflow/2.6-4. This is an update to fix the RC bug report at https://bugs.debian.org/1035511 and fixes an upgrade issue from Bullseye to Bookworm if iptables-netflow-dkms is upgraded while the Bullseye kernel (and headers) are still installed — which is the case in nearly every upgrade workflow. [ Reason ] Upgrades from Bullseye to Bookworm failed, at least until the Bullseye kernel has been uninstalled. [ Impact ] Impact without this package update, admins will * have to wait for iptables-netflow-dkms's postinst to succeed until they have rebooted into the Bookworm kernel and uninstalled the Bullseye kernel. * have no chance of running the newer iptables-netflow-dkms version from Bookworm with the Bullseye kernel. Impact of the change: * Low. Cherry-picked an upstream commit explicitly fixing compilation with older kernels. Regression introduced upstream with 2.6 when fixing compilation with kernel 5.15. It adds some compat definitions into the #ifdef areas for older kernels. Does not affect compiling against Bookworm's 6.1 kernel. [ Tests ] * Installation on Sid. Still compiles fine. (Exception: Fails if the kernel 6.3 in Experimental is installed on Sid. But I consider a fix for that to be unsuitable at this stage of the freeze.) * Installation on two Bullseye systems of which one is a production server heavily relying on exactly this package. Still works fine with the Sid package installed on Bullseye with stock Bullseye kernel, even during package upgrade and after a reboot (into the Bullseye kernel). Netflows generated with iptables-netflow-dkms continued to show up in nfdump's local cache after upgrading the package to the version currently in Sid as well as after rebooting (which guarantees that the newly built kernel module was really used, not just compiled). This test proves that a server will continue to provide the package's functionality even during a dist-upgrade even while still running under the Bullseye kernel. (Which was found in #1035511 to be not the case due to the failing compilation with the Bullseye kernel.) * Upgrade of a server from Bullseye to Bookworm which is using this package in production. Upgrade failed as reported in #1035511. The failure was fixed by installing the package from Unstable using "dpkg -i" as expected. Netflows generated with iptables-netflow-dkms continued to show up in nfdump's local cache afterwards as well after the final reboot into Bookworm's kernel. This test proves that a server will continue to provide the package's functionality even during a dist-upgrade and that it still works fine under Bookworm's kernel, i.e. that it does NOT introduce a regression on Bookworm. * Autopkgtest in Sid via autopkgtest-pkg-dkms: https://qa.debian.org/excuses.php?package=iptables-netflow says "No test results" for all tests. I'm not sure what this actually means. If I click on such a link I see: I: Summary: I: PASS 6.1.0-8-amd64 I: PASS 6.1.0-8-cloud-amd64 I: PASS 6.1.0-8-rt-amd64 Maybe these passes were considered superficial as in the end it justs says twice: dkms-autopkgtest PASS (superficial) [ Risks ] * Future updates of the Bullseye kernel with backported kernel fixes might break some assumptions of the kernel version #ifdefs in this kernel module like the ones updated in this patch and hence might cause upgrade issues due to compilation issues again if someone upgrades from Bullseye to Bookworm only late in the Bullseye release cycle. But this is given with and without that upgrade, and it has happened in past stable releases as well. (Has IIRC last happened with backported kernel fixes in Buster.) * It's a leaf package only in use on servers which generate netflows out of network traffic, e.g. for traffic statistics or security monitoring purposes. [ Checklist ] [x] all changes are documented in the d/changelog (debian/.gitignore was added by the recent NMU by accident and has been removed in this upload again automatically without any manual change, hence its removal does not show up in the debian/changelog entry. It ending up in the debdiff is not a result of this upload but actually a result of the previous upload being build directly from git or so.) [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] The cherry-picked upstream commit is https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233 commit 0901f028617acca350132a65293ab80a480bf233 Author: Vadim Fedorenko <vfedore...@novek.ru> Date: Mon Mar 28 21:59:10 2022 +0300 fix building on old kernels Link: https://github.com/aabc/ipt-netflow/pull/196 diff --git a/compat.h b/compat.h index 6be9d6b..847117f 100644 --- a/compat.h +++ b/compat.h @@ -782,7 +782,14 @@ struct module *find_module(const char *name) #endif #ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT +/* + * nat event callback parameter is constified in 5.15+ + * but it prevents module building with previous kernel versions + */ +# define NF_CT_EVENT struct nf_ct_event # define ct_event fcn +#else +# define NF_CT_EVENT const struct nf_ct_event #endif #endif /* COMPAT_NETFLOW_H */ diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c index e042fe6..82805bc 100644 --- a/ipt_NETFLOW.c +++ b/ipt_NETFLOW.c @@ -4597,7 +4597,7 @@ static void rate_timer_calc( #ifdef CONFIG_NF_NAT_NEEDED #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31) static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL; -static int netflow_conntrack_event(const unsigned int events, const struct nf_ct_event *item) +static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT *item) #else static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr) #endif So please unblock iptables-netflow/2.6-4
diff -Nru iptables-netflow-2.6/debian/.gitignore iptables-netflow-2.6/debian/.gitignore --- iptables-netflow-2.6/debian/.gitignore 2023-01-20 11:27:09.000000000 +0100 +++ iptables-netflow-2.6/debian/.gitignore 1970-01-01 01:00:00.000000000 +0100 @@ -1,10 +0,0 @@ -/dkms -/files -/debhelper-build-stamp -/.debhelper/ -/*.debhelper.log -/*.p*.debhelper -/*.substvars -/iptables-netflow-dkms/ -/irqtop/ -/tmp/ diff -Nru iptables-netflow-2.6/debian/changelog iptables-netflow-2.6/debian/changelog --- iptables-netflow-2.6/debian/changelog 2023-01-20 11:27:09.000000000 +0100 +++ iptables-netflow-2.6/debian/changelog 2023-05-10 18:22:39.000000000 +0200 @@ -1,3 +1,11 @@ +iptables-netflow (2.6-4) unstable; urgency=medium + + * Acknowledge NMU. Thanks Andreas! + * Cherry-pick upstream commit 0901f028 "fix building on old kernels". + (Closes: #1035511) + + -- Axel Beckert <a...@debian.org> Wed, 10 May 2023 18:22:39 +0200 + iptables-netflow (2.6-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch --- iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch 1970-01-01 01:00:00.000000000 +0100 +++ iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch 2023-05-10 17:21:46.000000000 +0200 @@ -0,0 +1,40 @@ +commit 0901f028617acca350132a65293ab80a480bf233 +Author: Vadim Fedorenko <vfedore...@novek.ru> +Date: Mon Mar 28 21:59:10 2022 +0300 + + fix building on old kernels + + Link: https://github.com/aabc/ipt-netflow/pull/196 + +diff --git a/compat.h b/compat.h +index 6be9d6b..847117f 100644 +--- a/compat.h ++++ b/compat.h +@@ -782,7 +782,14 @@ struct module *find_module(const char *name) + #endif + + #ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT ++/* ++ * nat event callback parameter is constified in 5.15+ ++ * but it prevents module building with previous kernel versions ++ */ ++# define NF_CT_EVENT struct nf_ct_event + # define ct_event fcn ++#else ++# define NF_CT_EVENT const struct nf_ct_event + #endif + + #endif /* COMPAT_NETFLOW_H */ +diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c +index e042fe6..82805bc 100644 +--- a/ipt_NETFLOW.c ++++ b/ipt_NETFLOW.c +@@ -4597,7 +4597,7 @@ static void rate_timer_calc( + #ifdef CONFIG_NF_NAT_NEEDED + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31) + static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL; +-static int netflow_conntrack_event(const unsigned int events, const struct nf_ct_event *item) ++static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT *item) + #else + static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr) + #endif diff -Nru iptables-netflow-2.6/debian/patches/series iptables-netflow-2.6/debian/patches/series --- iptables-netflow-2.6/debian/patches/series 2023-01-20 11:27:09.000000000 +0100 +++ iptables-netflow-2.6/debian/patches/series 2023-05-10 17:21:58.000000000 +0200 @@ -4,3 +4,4 @@ dont-hardcode-current-gcc.patch cherry-pick_66e43041_namespace_sk_error_report.patch cherry-pick_6a55739a_fix_build_on_v5.15.patch +cherry-pick_0901f028_fix_building_on_old_kernels.patch