[Desktop-packages] [Bug 1671606] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1

[Mercury]

Ryan,

The problem is not that a recent change in resolvconf caused a
regression.

The problem with resolvconf is that the upgrade to network-manager
exposed an existing bug in resolvconf.

This happens because the new version of network-manager now tells
resolvconf that it must only use a specific interface when talking to
the name server, and resolvconf was not properly tracking how interfaces
were added and removed from the system.

This is most obvious for VPN connections which use an interface for VPN
traffic, as that interface will be destroyed and recreated on every VPN
connection, triggering the bug in resolvconf. (Setting up the new DNS
for the new VPN interface is insufficient to make it happy.)

This can also be triggered on systems that remove and readd interfaces
for things like suspend or hibernate.

Redhat documented the bug fairly well when they found it, their bug
report on the matter is
https://bugzilla.redhat.com/show_bug.cgi?id=1373485

The actual patch that needs to be applied is git commit
2675f2061525bc954be14988d64384b74aa7bf8b, and the upstream gitweb URL
for viewing the diff is:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b

There is a separate (but very related) issue, in that some existing VPNs
that involve ipsec have one interface for sending traffic and to hold an
IP, but the response traffic appears on the interface of the primary
internet connection.  This is completely broken in the middle of an LTS
by this change, and fixing the bug in resolvconf won't help.  I'm still
trying to sort out the right answer for some of my VPN use cases there.

** Changed in: resolvconf (Ubuntu)
   Status: Invalid => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1671606

Title:
  DNS server from vpn connection is not being used after network-manager
  upgrade to 1.2.6-0ubuntu0.16.04.1

Status in network-manager package in Ubuntu:
  Confirmed
Status in resolvconf package in Ubuntu:
  Confirmed

Bug description:
  I use my company's cisco vpn via network-manager in Ubuntu 16.04.2
  LTS. After recent upgrade of network-manager:amd64 from version
  1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 DNS
  resolution of VPN's server hostnames does not work. Roll back to
  version 1.2.2-0ubuntu0.16.04.4 solves the problem.

  Steps for reproducing:
  1. upgrade network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to 
version 1.2.6-0ubuntu0.16.04.1
  2. connect to VPN via network-manager applet
  3. nslookop servername.internal --> ** server can't find servername.internal: 
NXDOMAIN
  4. disconnect from VPN via network-manager applet
  5. roll back network-manager via command: sudo apt-get install 
network-manager=1.2.2-0ubuntu0.16.04.4
  6. restart network-manager via sudo service network-manager restart
  7. connect to VPN via network-manager applet
  8. nslookop servername.internal --> the server is resolved correctly

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: network-manager 1.2.6-0ubuntu0.16.04.1
  ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
  Uname: Linux 4.4.0-66-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Mar  9 19:49:55 2017
  InstallationDate: Installed on 2015-10-05 (520 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=true
   WimaxEnabled=true
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-nm:
   RUNNING  VERSION  STATE  STARTUP  CONNECTIVITY  NETWORKING  WIFI-HW  
WIFI WWAN-HW  WWAN
   running  1.2.6connected  started  full  enabled enabled  
enabled  enabled  enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1671606] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1

[Mercury]

After two and a half weeks, can we please get a build of resolvconf with
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b
applied pushed out?

We don't even need the full new release of resolvconf, we just need the
documented bug (https://bugzilla.redhat.com/show_bug.cgi?id=1373485)
patched.

This was covered in detail in https://bugs.launchpad.net/ubuntu/+source
/network-manager/+bug/1672491 and while it won't fix some of my use
cases, it will at least get a large number of the VPN users working
again.

Regards,
Zephaniah E. Loss-Cutler-Hull.

** Bug watch added: Red Hat Bugzilla #1373485
   https://bugzilla.redhat.com/show_bug.cgi?id=1373485

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1671606

Title:
  DNS server from vpn connection is not being used after network-manager
  upgrade to 1.2.6-0ubuntu0.16.04.1

Status in network-manager package in Ubuntu:
  Confirmed
Status in resolvconf package in Ubuntu:
  Confirmed

Bug description:
  I use my company's cisco vpn via network-manager in Ubuntu 16.04.2
  LTS. After recent upgrade of network-manager:amd64 from version
  1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 DNS
  resolution of VPN's server hostnames does not work. Roll back to
  version 1.2.2-0ubuntu0.16.04.4 solves the problem.

  Steps for reproducing:
  1. upgrade network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to 
version 1.2.6-0ubuntu0.16.04.1
  2. connect to VPN via network-manager applet
  3. nslookop servername.internal --> ** server can't find servername.internal: 
NXDOMAIN
  4. disconnect from VPN via network-manager applet
  5. roll back network-manager via command: sudo apt-get install 
network-manager=1.2.2-0ubuntu0.16.04.4
  6. restart network-manager via sudo service network-manager restart
  7. connect to VPN via network-manager applet
  8. nslookop servername.internal --> the server is resolved correctly

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: network-manager 1.2.6-0ubuntu0.16.04.1
  ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
  Uname: Linux 4.4.0-66-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Mar  9 19:49:55 2017
  InstallationDate: Installed on 2015-10-05 (520 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=true
   WimaxEnabled=true
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-nm:
   RUNNING  VERSION  STATE  STARTUP  CONNECTIVITY  NETWORKING  WIFI-HW  
WIFI WWAN-HW  WWAN
   running  1.2.6connected  started  full  enabled enabled  
enabled  enabled  enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1645698] Re: [SRU] Upgrade network-manager to latest point release

[Mercury]

So, this managed to break at least my VPN setup quite well.

See #1672491 with the details, but the short version is that 'specify
egress interface for each dnsmasq upstream server' breaks things in two
cases.

The first could be argued to be a bug on the VPN client side, though a
behavior change of this nature in an LTS release is decidedly unwelcome.

The second exposes a bug in dnsmasq which needs to be fixed for any case
where an interface is removed and then readded, this includes
suspend/resume and some VPN cases.

Regards,
Zephaniah E. Loss-Cutler-Hull.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1645698

Title:
  [SRU] Upgrade network-manager to latest point release

Status in OEM Priority Project:
  Fix Released
Status in network-manager package in Ubuntu:
  Fix Released
Status in network-manager source package in Xenial:
  Fix Released
Status in network-manager source package in Yakkety:
  Fix Released

Bug description:
  [Impact]

  This SRU would try to have the latest well-tested upstream point
  release (1.2.6) of 1.2.x land in Xenial, which is the successor of the
  current 1.2.2 version, fixing quite some bugs that's suitable to land
  in the stable branch.

  https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=nm-1-2

  [Test Case]

  After installing the updated version, users should be able to avoid
  some mem leaks in some cases and have generally improved DNS related
  experiences.

  Also, as this is a general point release update, cases described in
  https://wiki.ubuntu.com/NetworkManager/DistroTesting should be used
  for smoke testing.

  [Regression Potential]

  This is a bug/regression fix for 1.2.2 and 1.2.4, which is quite
  complete.

  [Other Info]
  The first attempt at SRUing this to xenial was for 1.2.4 but it failed 
verification. This second attempt matches yakkety with 1.2.6.

  Parallel building was enabled in xenial to keep the diff between
  xenial and yakkety minimal since they are basically in sync now.
  Parallel building was enabled in the yakkety package in May 2016 so
  it's been working fine for a while.

  needed by:
  lp #1647283

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1645698/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1672491] Re: New NetworkManager breaks VPN DNS.

[Mercury]

Alright, this is due to a change to 1.2.4:


commit 2f12f485607590d6415cf5fb81ad4db5b04615cd
Author: Beniamino Galvani 
Date:   Wed May 11 18:43:41 2016 +0200

dns: specify egress interface for each dnsmasq upstream server

Currently we don't specify to dnsmasq which interface must be used to
contact a given nameserver and so requests can be sent through the
wrong interface.

Fix this by concatenating a @interface prefix to each server (unless
an IPv6 interface scope-id is already present).

https://bugzilla.gnome.org/show_bug.cgi?id=765153
(cherry picked from commit b71e104d333a1eb3325274089faf449126a4b157)


Now, this causes _two_ problems.

The first is that for some VPN connections you get traffic going out on
tap0, but due to the wonders of ipsec the responses show up on the
actual interface, such as eth0 or wlan0.  This is a little bit of a pain
normally, but it means that dnsmasq simply dies.  It is possible that
this is something I can fix on my VPN package, but it's _not_ a change
that I expected to see in a LTS release.

Second, https://bugzilla.redhat.com/show_bug.cgi?id=1373485 (upstream
commit
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b
fixes it) now matters, and without that fix anything that removes an
interface and brings it back up breaks dnsmasq until dnsmasq is
restarted.

So, either 16.04 needs to fall back to 1.2.2, or dnsmasq needs the fix
applied.

(And if the latter is chosen, VPN plugins which worked before may still
be non-functional until additional work on them is done.  Again, in an
LTS release?)

Regards,
Zephaniah E. Loss-Cutler-Hull.

** Bug watch added: GNOME Bug Tracker #765153
   https://bugzilla.gnome.org/show_bug.cgi?id=765153

** Bug watch added: Red Hat Bugzilla #1373485
   https://bugzilla.redhat.com/show_bug.cgi?id=1373485

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1672491

Title:
  New NetworkManager breaks VPN DNS.

Status in network-manager package in Ubuntu:
  New

Bug description:
  Alright, this is going to be a frustrating bug for everyone involved I
  expect, but here goes.

  On Ubuntu 16.04, using a non-released VPN client (making this _much_
  harder for anyone to reproduce), upgrading the network-manager
  packages from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite
  handily broke DNS over the VPN.

  And it broke it really oddly.

  dnsmasq binds to socket 12 for the new interface, just fine.

  strace shows that it does the sendto for the DNS request, and that the
  poll calls are working, just fine.

  tcpdump shows the response messages, they are coming back from the
  correct host and port, going to my IP and the port that dnsmasq is
  sending from.

  There are no iptables rules involved, nothing is set to deny.

  dnsmasq is never getting the response packet.

  The request thus times out.

  Doing a host or dig directly to the DNS server works just fine.

  And this is completely reproducible, and goes away the moment I
  downgrade back to 1.2.2-0ubuntu0.16.04.3.

  Was there some change to how network-manager handles VPN
  interfaces/tap0 in the new version?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1672491/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1672491] [NEW] New NetworkManager breaks VPN DNS.

[Mercury]

Public bug reported:

Alright, this is going to be a frustrating bug for everyone involved I
expect, but here goes.

On Ubuntu 16.04, using a non-released VPN client (making this _much_
harder for anyone to reproduce), upgrading the network-manager packages
from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite handily
broke DNS over the VPN.

And it broke it really oddly.

dnsmasq binds to socket 12 for the new interface, just fine.

strace shows that it does the sendto for the DNS request, and that the
poll calls are working, just fine.

tcpdump shows the response messages, they are coming back from the
correct host and port, going to my IP and the port that dnsmasq is
sending from.

There are no iptables rules involved, nothing is set to deny.

dnsmasq is never getting the response packet.

The request thus times out.

Doing a host or dig directly to the DNS server works just fine.

And this is completely reproducible, and goes away the moment I
downgrade back to 1.2.2-0ubuntu0.16.04.3.

Was there some change to how network-manager handles VPN interfaces/tap0
in the new version?

** Affects: network-manager (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1672491

Title:
  New NetworkManager breaks VPN DNS.

Status in network-manager package in Ubuntu:
  New

Bug description:
  Alright, this is going to be a frustrating bug for everyone involved I
  expect, but here goes.

  On Ubuntu 16.04, using a non-released VPN client (making this _much_
  harder for anyone to reproduce), upgrading the network-manager
  packages from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite
  handily broke DNS over the VPN.

  And it broke it really oddly.

  dnsmasq binds to socket 12 for the new interface, just fine.

  strace shows that it does the sendto for the DNS request, and that the
  poll calls are working, just fine.

  tcpdump shows the response messages, they are coming back from the
  correct host and port, going to my IP and the port that dnsmasq is
  sending from.

  There are no iptables rules involved, nothing is set to deny.

  dnsmasq is never getting the response packet.

  The request thus times out.

  Doing a host or dig directly to the DNS server works just fine.

  And this is completely reproducible, and goes away the moment I
  downgrade back to 1.2.2-0ubuntu0.16.04.3.

  Was there some change to how network-manager handles VPN
  interfaces/tap0 in the new version?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1672491/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp