Bug#1038727: bookworm-pu: package nftables/1.0.6-2+deb12u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Tue, Jun 20, 2023 at 05:27:03PM +0200, Arturo Borrero Gonzalez wrote:
> There has been a behavior regression reported in nftables when
> upgrading from Debian 11 Bullseye to Debian 12 Bookworm.
> 
> The change is in how nftables prints the set definitions, with
> or without set elements by default.
> 
> Some user tools relying on 'nft -j list sets' fail after upgrading
> to Debian Bookworm from Debian Bullseye because the behavior change.
> 
> The small upstream fix makes the behavior coherent and predictable for the
> set listing action.

It would be good to mention *what* the patch does and why in the changelog,
but in general please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1038727: bookworm-pu: package nftables/1.0.6-2+deb12u1

[Arturo Borrero Gonzalez]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: nftab...@packages.debian.org
Control: affects -1 + src:nftables

There has been a behavior regression reported in nftables when
upgrading from Debian 11 Bullseye to Debian 12 Bookworm.

The change is in how nftables prints the set definitions, with
or without set elements by default.

Some user tools relying on 'nft -j list sets' fail after upgrading
to Debian Bookworm from Debian Bullseye because the behavior change.

The small upstream fix makes the behavior coherent and predictable for the
set listing action.

There is not much risk in this update:
* The fix patch has been provided directly by upstream
* The fix has been applied to upstream main branch already
* The fix is already in Debian Sid

Find debdiff attached against the current Debian stable package.

See also:
 * https://marc.info/?l=netfilter=168704941828372=2 (original report)
 * https://bugs.debian.org/1038724 (debian bug)
 * 
https://git.netfilter.org/nftables/commit/?id=29bed4fa594c3f6e343a8b5669d61e20c7129cca
 (upstream fix)
diff -Nru nftables-1.0.6/debian/changelog nftables-1.0.6/debian/changelog
--- nftables-1.0.6/debian/changelog 2023-01-29 12:33:00.0 +0100
+++ nftables-1.0.6/debian/changelog 2023-06-20 16:55:52.0 +0200
@@ -1,3 +1,9 @@
+nftables (1.0.6-2+deb12u1) bookworm; urgency=medium
+
+  * [7edf72e] d/patches: add 0001-debian-bug-1038724.patch (Closes: #1038724)
+
+ -- Arturo Borrero Gonzalez   Tue, 20 Jun 2023 16:55:52 
+0200
+
 nftables (1.0.6-2) unstable; urgency=medium
 
   [ Jeremy Sowden ]
diff -Nru nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 
nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch
--- nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 1970-01-01 
01:00:00.0 +0100
+++ nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 2023-06-20 
16:55:52.0 +0200
@@ -0,0 +1,66 @@
+From 29bed4fa594c3f6e343a8b5669d61e20c7129cca Mon Sep 17 00:00:00 2001
+From: Florian Westphal 
+Date: Sun, 18 Jun 2023 18:39:45 +0200
+Subject: cache: include set elements in "nft set list"
+
+Make "nft list sets" include set elements in listing by default.
+In nftables 1.0.0, "nft list sets" did not include the set elements,
+but with "--json" they were included.
+
+1.0.1 and newer never include them.
+This causes a problem for people updating from 1.0.0 and relying
+on the presence of the set elements.
+
+Change nftables to always include the set elements.
+The "--terse" option is honored to get the "no elements" behaviour.
+
+Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")
+Link: https://marc.info/?l=netfilter=168704941828372=2
+Signed-off-by: Florian Westphal 
+---
+ src/cache.c | 2 ++
+ src/rule.c  | 8 +---
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/cache.c b/src/cache.c
+index 95adee7f..becfa57f 100644
+--- a/src/cache.c
 b/src/cache.c
+@@ -235,6 +235,8 @@ static unsigned int evaluate_cache_list(struct nft_ctx 
*nft, struct cmd *cmd,
+   case CMD_OBJ_SETS:
+   case CMD_OBJ_MAPS:
+   flags |= NFT_CACHE_TABLE | NFT_CACHE_SET;
++  if (!nft_output_terse(>output))
++  flags |= NFT_CACHE_SETELEM;
+   break;
+   case CMD_OBJ_FLOWTABLE:
+   if (filter &&
+diff --git a/src/rule.c b/src/rule.c
+index 633a5a12..1faa1a27 100644
+--- a/src/rule.c
 b/src/rule.c
+@@ -1574,11 +1574,6 @@ static int do_list_table(struct netlink_ctx *ctx, 
struct table *table)
+ 
+ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
+ {
+-  struct print_fmt_options opts = {
+-  .tab= "\t",
+-  .nl = "\n",
+-  .stmt_separator = "\n",
+-  };
+   struct table *table;
+   struct set *set;
+ 
+@@ -1601,8 +1596,7 @@ static int do_list_sets(struct netlink_ctx *ctx, struct 
cmd *cmd)
+   if (cmd->obj == CMD_OBJ_MAPS &&
+   !map_is_literal(set->flags))
+   continue;
+-  set_print_declaration(set, , >nft->output);
+-  nft_print(>nft->output, "%s}%s", opts.tab, 
opts.nl);
++  set_print(set, >nft->output);
+   }
+ 
+   nft_print(>nft->output, "}\n");
+-- 
+cgit v1.2.3
+
diff -Nru nftables-1.0.6/debian/patches/series 
nftables-1.0.6/debian/patches/series
--- nftables-1.0.6/debian/patches/series2023-01-29 12:33:00.0 
+0100
+++ nftables-1.0.6/debian/patches/series2023-06-20 16:55:52.0 
+0200
@@ -1 +1,2 @@
+0001-debian-bug-1038724.patch
 invalid-octal-fix.patch