Your message dated Thu, 29 Jun 2017 12:04:23 +0000
with message-id <[email protected]>
and subject line Bug#859775: fixed in iptables 1.6.1-2
has caused the Debian Bug report #859775,
regarding iptables: iptables-save fails for rules using hashlimit on 32-bit
architectures
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859775
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iptables
Version: 1.6.0+snapshot20161117-5
Severity: grave
Tags: upstream
User: [email protected]
Usertags: needed-by-DSA-Team
On 32-bit architectures the extensions/libxt_hashlimit.c file compiles
with warning:
| gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-DXTABLES_LIBDIR=\"/usr/lib/i386-linux-gnu/xtables\" -DXTABLES_INTERNAL
-I../include -I.. -I../include -Wdate-time -D_FORTIFY_SOURCE=2
-Wp,-MMD,./.libxt_hashlimit.oo.d,-MT,libxt_hashlimit.oo -Wall
-Waggregate-return -Wmissing-declarations -Wmissing-prototypes
-Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe
-D_INIT=libxt_hashlimit_init -DPIC -fPIC -g -O2
-fdebug-prefix-map=/«BUILDDIR»/iptables-1.6.0+snapshot20161117=.
-fstack-protector-strong -Wformat -Werror=format-security -o libxt_hashlimit.oo
-c libxt_hashlimit.c;
| In file included from /usr/include/math.h:26:0,
| from libxt_hashlimit.c:15:
| /usr/include/features.h:148:3: warning: #warning "_BSD_SOURCE and
_SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp]
| # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
| ^~~~~~~
| libxt_hashlimit.c: In function 'parse_burst':
| libxt_hashlimit.c:263:36: warning: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| xtables_error(PARAMETER_PROBLEM, "bad value for option "
| ^~~~~~~~~~~~~~~~~~~~~~~
| libxt_hashlimit.c: In function 'parse_bytes':
| libxt_hashlimit.c:288:42: warning: format '%lu' expects argument of type
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "Rate value too large \"%llu\" (max %lu)\n",
| ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check_v1':
| libxt_hashlimit.c:560:38: warning: format '%lu' expects argument of type
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
| ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check':
| libxt_hashlimit.c:590:38: warning: format '%lu' expects argument of type
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned
int}' [-Wformat=]
| "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
| ^
| libxt_hashlimit.c: In function 'print_rate':
| libxt_hashlimit.c:634:13: warning: format '%lu' expects argument of type
'long unsigned int', but argument 2 has type 'long long unsigned int'
[-Wformat=]
| printf(" %lu/%s", _rates[i-1].mult / period, _rates[i-1].name);
| ^
A full build log is available there:
https://buildd.debian.org/status/fetch.php?pkg=iptables&arch=i386&ver=1.6.0%2Bsnapshot20161117-5&stamp=1485163465&raw=0
The problem is that uint64_t types are printed using an unsigned long
format, which is the right type on 64-bit architectures, but not on
32-bit architectures where it is an unsigned long long type.
As a result, iptables-save fails when a rule is using hashlimit. It
fails differently depending on the architecture. On i386 the value
is printed as "(null)":
| -A FORWARD -m hashlimit --hashlimit-upto 1/(null) --hashlimit-burst 10
--hashlimit-mode srcip --hashlimit-name nflogreject -j ACCEPT
On mips iptables-save ends-up with a segfault instead. I haven't
tested on arm yet.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: mips (mips64)
Kernel: Linux 4.9.0-2-5kc-malta
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages iptables depends on:
ii libc6 2.24-9
ii libip4tc0 1.6.0+snapshot20161117-5
ii libip6tc0 1.6.0+snapshot20161117-5
ii libiptc0 1.6.0+snapshot20161117-5
ii libnetfilter-conntrack3 1.0.6-2
ii libnfnetlink0 1.0.1-3
ii libxtables12 1.6.0+snapshot20161117-5
iptables recommends no packages.
Versions of packages iptables suggests:
ii kmod 23-2
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: iptables
Source-Version: 1.6.1-2
We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arturo Borrero Gonzalez <[email protected]> (supplier of updated iptables
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Jun 2017 13:40:27 +0200
Source: iptables
Binary: iptables iptables-dev libxtables12 libxtables-dev libiptc0 libiptc-dev
libip4tc0 libip4tc-dev libip6tc0 libip6tc-dev iptables-nftables-compat
Architecture: source
Version: 1.6.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Netfilter Packaging Team
<[email protected]>
Changed-By: Arturo Borrero Gonzalez <[email protected]>
Description:
iptables - administration tools for packet filtering and NAT
iptables-dev - transitional dummy package
iptables-nftables-compat - iptables compat tools for nftables
libip4tc-dev - Development files for libip4tc
libip4tc0 - netfilter libip4tc library
libip6tc-dev - Development files for libip6tc
libip6tc0 - netfilter libip6tc library
libiptc-dev - Development files for libiptc
libiptc0 - netfilter libiptc library
libxtables-dev - netfilter xtables library -- development files
libxtables12 - netfilter xtables library
Closes: 859775 865464
Changes:
iptables (1.6.1-2) unstable; urgency=medium
.
[ Helmut Grohne ]
* [e232f6c] d/control: turn iptables-dev Architecture: any (Closes: #865464)
.
[ Arturo Borrero Gonzalez ]
* [6f63f8c] d/control: make all the -dev packages Multi-Arch: same
* [d85cd65] d/control: bump std-version to 4.0.0
* [0ba5cff] d/patches: add
0001-extensions-libxt_hashlimit-fix-64-bit-printf-formats.patch.
Thanks to James Cowgill for the patch (Closes: #859775)
* [ab1785b] iptables: fix ip6tables-apply manpage symlink
Checksums-Sha1:
a2a666890e7b44720707ebeb11c90b449ddd32c5 2815 iptables_1.6.1-2.dsc
f834e9904646fd302fb86f47c0a424cc43c5ebab 62500 iptables_1.6.1-2.debian.tar.xz
Checksums-Sha256:
c6527164f2b314eccbc10c64f48fb3cdc28467f0cb7217e3c70a54706d90a6b0 2815
iptables_1.6.1-2.dsc
446b007c39bb65daac904808966863fe6d6ce6e4f46fe77b47d1eab65265541a 62500
iptables_1.6.1-2.debian.tar.xz
Files:
c30ede7fa1801ca4af74517ac905c2db 2815 net important iptables_1.6.1-2.dsc
ab32729f97aedf3c687d106075a71b85 62500 net important
iptables_1.6.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAllU5+8SHGFydHVyb0Bk
ZWJpYW4ub3JnAAoJEGjnE5gdFRX4c0oP/2wjsm70FX91JNkMD+tzUmdarnYa17/C
5q7/lgPrT7Y39okveXsVee4eZoXajy3QbFPt9yAlTPUbNWfdDCMOhuaG5GYh+e4O
LJRL6JjgPN/1Jjx5sAyeWJk+yw1Hr5Nem3l74s5BkI//OHJmrMnQzI9zlKD7PDpW
aEBvlY6izh4BD6EYC04HumNoECkMfe06Em9PNUQ47iIT79ZEroeSPEL7U6b+vOM0
MYX6o+3sbuaFIqFLRulvt3/+8oEE3YpiPAnzMjUmmDQPhsmO7IGL2v0Gg53KOPMc
pfnX6EKmrqqeuBmFr961qz/i4NkZkX0IH3Z2O88FBviD4w5Rx+pZnsnSsRHPMy8c
zjUYFrdgi6y6VmKo5gkvbmq1xzMYZ203q5gKZ4XoSO/oD/xbcy0gK9WA0+DgPOx5
oUgM5MX/Pn2Mq0RSAe1LQh4nQk1IIb3q65tFf2YvLJPy4mdfIkaWJHKnmlD9vUet
sT+Sta1AVLsDsYATVB6/MI4AUlNEufZ7VbryL05q5UQY5baQ1vld/FqD0opdTsvY
vKYm9GZo+QIf8nIrk5m5wKyv78iprwvDIKpmguNkidixsPIR09awyhobgdBpL7m8
/I0i/uxt5ZJVhVwcfG6Ry2ElTKPBAxRc+hRWvzqMiGbmMNucQ3CauTOehqxddo8u
Yra7wAMDWgM9
=iWaj
-----END PGP SIGNATURE-----
--- End Message ---
