Bug#1117505: firewalld: autopkgtest needs update for new version of nftables

Fri, 17 Oct 2025 17:47:47 -0700 

Control: tags -1 patch

On 2025-10-06, at 21:14:27 +0100, Jeremy Sowden wrote:

On 2025-10-06, at 21:54:09 +0200, Paul Gevers wrote:
> Source: firewalld
> Version: 2.3.1-2
> Severity: serious
> X-Debbugs-CC: [email protected]
> Tags: sid forky
> User: [email protected]
> Usertags: needs-update
> Control: affects -1 src:nftables
>
> Dear maintainer(s),
>
> With a recent upload of nftables the autopkgtest of firewalld fails
> in testing when that autopkgtest is run with the binary packages of
> nftables from unstable. It passes when run with only packages from
> testing. In tabular form:
>
>                       pass            fail
> nftables               from testing    1.1.5-2
> firewalld              from testing    2.3.1-2
> all others             from testing    from testing
>
> I copied some of the output at the bottom of this report.
>
> Currently this regression is blocking the migration of nftables to
> testing [1]. Of course, nftables shouldn't just break your
> autopkgtest (or even worse, your package), but it seems to me that
> the change in nftables was intended and your package needs to update
> to the new situation.
>
> If this is a real problem in your package (and not only in your
> autopkgtest), the right binary package(s) from nftables should
> really add a versioned Breaks on the unfixed version of (one of
> your) package(s). Note: the Breaks is nice even if the issue is only
> in the autopkgtest as it helps the migration software to figure out
> the right versions to combine in the tests.
>
> More information about this bug and the reason for filing it can be found on
> https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation
>
> Paul
>
> [1] https://qa.debian.org/excuses.php?package=nftables
>
> 
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/64961657/log.gz
>
> 2837s +++ /tmp/testsuite.dir/at-groups/211/stdout 2025-10-05 > 17:27:01.608000000 +0000 
> 2837s @@ -1,6 +1,6 @@
> 2837s  table inet firewalld {
> 2837s  chain filter_FORWARD {
> 2837s -meta nfproto ipv6 fib saddr . mark oif missing drop
> 2837s +meta nfproto ipv6 fib saddr . mark check missing drop
> 2837s  ct state established,related accept
> 2837s  ct status dnat accept
> 2837s  iifname "lo" accept
> 2837s 211. rpfilter.at:89: 211. rpfilter - loose-forward > (rpfilter.at:89): FAILED (rpfilter.at:101) 
> 2837s 2837s 2837s autopkgtest [17:53:31]: test standard-tests

This is fixed upstream:

  
https://github.com/firewalld/firewalld/commit/cc1c78b7343dc5f198f76c31c3e6f4934ab0b183

I'm running autopkgtest in qemu locally to make sure this is the only
regression.  It's very slow. :-/


Yup, that upstream commit does the job.  I've attached the patch against
firewalld's Salsa repo.  You can also see it here:

        
https://salsa.debian.org/azazel/firewalld/-/commit/b3d463ceafdc86255aea0b38d32a0dbe72e25651

I can NMU if you're busy.

J.

From b3d463ceafdc86255aea0b38d32a0dbe72e25651 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <[email protected]>
Date: Sat, 4 Oct 2025 20:38:07 +0100
Subject: [PATCH] d/patches: add upstream commit to fix rpfilter tests

Closes: #1117505

Signed-off-by: Jeremy Sowden <[email protected]>
---
 debian/patches/Fix-rpfilter-tests.patch | 79 +++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 debian/patches/Fix-rpfilter-tests.patch

diff --git a/debian/patches/Fix-rpfilter-tests.patch b/debian/patches/Fix-rpfilter-tests.patch
new file mode 100644
index 000000000000..6e1ac044da84
--- /dev/null
+++ b/debian/patches/Fix-rpfilter-tests.patch
@@ -0,0 +1,79 @@
+Author: Eric Garver <[email protected]>
+Last-Update: 2025-06-30
+Applied-upstream: commit:cc1c78b7343dc5f198f76c31c3e6f4934ab0b183
+Description: work around nftables CLI output change in rpfilter tests
+ Since nftables commit f4b646032acf ("fib: allow to check if route exists
+ in maps") the fib match now displays using the "check" keyword.
+ Normalize older nftables versions to the new output and update all the
+ tests.
+
+diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
+index a0771ff4ef14..d0b4b220d4dd 100644
+--- a/src/tests/features/rpfilter.at
++++ b/src/tests/features/rpfilter.at
+@@ -9,7 +9,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+     table inet firewalld {
+         chain filter_PREROUTING {
+             icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+-            meta nfproto ipv6 fib saddr . mark . iif oif missing drop
++            meta nfproto ipv6 fib saddr . mark . iif check missing drop
+         }
+     }
+ ])
+@@ -35,7 +35,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+     table inet firewalld {
+         chain filter_PREROUTING {
+             icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+-            meta nfproto ipv6 fib saddr . mark oif missing drop
++            meta nfproto ipv6 fib saddr . mark check missing drop
+         }
+     }
+ ])
+@@ -65,7 +65,7 @@ FWD_RELOAD()
+ NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+     table inet firewalld {
+         chain filter_FORWARD {
+-            meta nfproto ipv6 fib saddr . mark . iif oif missing drop
++            meta nfproto ipv6 fib saddr . mark . iif check missing drop
+             ct state established,related accept
+             ct status dnat accept
+             iifname "lo" accept
+@@ -101,7 +101,7 @@ FWD_RELOAD()
+ NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+     table inet firewalld {
+         chain filter_FORWARD {
+-            meta nfproto ipv6 fib saddr . mark oif missing drop
++            meta nfproto ipv6 fib saddr . mark check missing drop
+             ct state established,related accept
+             ct status dnat accept
+             iifname "lo" accept
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 3f487f5c0a31..07d8482efa42 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -478,6 +478,9 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
+         dnl newer nft replace ICMP reject aliases with code values
+         dnl nftables commit 5fecd2a6ef61 ("src: disentangle ICMP code types")
+         -e ['s/\(icmp\|icmpv6\|icmpx\) code no-route/\1 code 0/g'] dnl
++        dnl nftables commit f4b646032acf ("fib: allow to check if route exists in maps")
++        dnl changed the fib output. Now uses "check" keyword.
++        -e ['s/oif missing/check missing/g'] dnl
+ ])
+ 
+ m4_define([NFT_LIST_RULES_ALWAYS], [
+diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
+index 72e352aa72a7..a6ee2cd74263 100644
+--- a/src/tests/regression/gh258.at
++++ b/src/tests/regression/gh258.at
+@@ -114,7 +114,7 @@ IF_HOST_SUPPORTS_NFT_FIB([
+         table inet firewalld {
+             chain filter_PREROUTING {
+                 icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+-                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
++                meta nfproto ipv6 fib saddr . mark . iif check missing drop
+             }
+         }
+     ])
+-- 
+2.51.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 8c262ab835c2..56f45b01563d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Remove-etc-sysconfig-firewalld-support.patch
 Switch-to-python3.patch
+Fix-rpfilter-tests.patch
-- 
2.51.0

Attachment: signature.asc
Description: PGP signature

Reply via email to