[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2020-09-03 Thread Balint Reczey
switching to nftables (again) is tracked in LP: #1887186

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Fix Released

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-16 Thread Launchpad Bug Tracker
This bug was fixed in the package iptables - 1.8.3-2ubuntu4

---
iptables (1.8.3-2ubuntu4) eoan; urgency=medium

  * autopkgtest: allow-stderr on command9 to fix regression

 -- Julian Andres Klode   Mon, 16 Sep 2019 13:48:52
+0200

** Changed in: iptables (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Fix Released

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-11 Thread Julian Andres Klode
** Changed in: iptables (Ubuntu)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Fix Committed

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-11 Thread Julian Andres Klode
** Changed in: iptables (Ubuntu)
 Assignee: (unassigned) => Julian Andres Klode (juliank)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Triaged

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-11 Thread Francis Ginther
** Tags added: id-5d784b79b60ef9779cc530ed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Triaged

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-10 Thread Stéphane Graber
Ah, that's good to know and we should definitely aim at refreshing
nftables prior to doing any amount of testing on the wrappers.

The failure I've seen for LXD specifically was around complex protocol
parsing (IPv6 router advertisements I believe) through ebtables, so not
a very usual thing to do, but something LXD needs to do to prevent some
cases of IP spoofing between containers with isolated networking.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Triaged

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1843468] Re: nftables based iptables wrapper break userspace

2019-09-10 Thread Oibaf
Debian and RHEL are already using the new -nft iptables backend in their latest 
stable releases.
There are still some regressions, but most (all?) are already fixed in upstream 
iptables git.
I'd suggest updating to latest git before starting the audit.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1843468

Title:
  nftables based iptables wrapper break userspace

Status in iptables package in Ubuntu:
  Triaged

Bug description:
  iptables just got replaced by the nftables wrappers, effectively
  changing all Ubuntu systems to using nftables rather than regular
  iptables/ip6tables/ebtables.

  Unfortunately those wrappers aren't perfect and don't convert every
  option properly, nor know about some of the available plugins for
  those commands.

  This means that unless the software using those commands are aware
  that those are wrappers and adapt their use, they may break at some
  random point in time.

  
  While nftables is clearly the way forward, just silently switching the 
existing native tools with the compat wrappers will lead to widespread breakage 
both from packages in the archive, snaps and a variety of scripts our users may 
be running.

  So far, looking around, known breakages post-nft are expected with at
  least Docker, Kubernetes and LXD but the same may be true with the
  many other packages we have that call iptables, ip6tables, ebtables or
  arptables today.

  A migration should include a proper audit of all in-archive users, see
  if they have a plan/patch for native nft interaction and if not,
  validate their use of the tools is compatible with the wrappers.

  We should also extend that to popular snaps / those we ship by
  default. Snaps make things worse as they use the tools from their base
  snap, which in LXD's case is currently 16.04 (soon to switch to
  18.04).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1843468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp