iptables in excuses triggers tests in other packages. The excuses report
doesn't show the fully green results anymore, so it's easy to miss them.
I think we can consider the ufw dep8 tests as sufficient for the case of
"normal iptables usage hasn't regressed".
I ran the ufw debian/tests/root-unittest DEP8 test in a jammy vm, and
checked with execsnoop that it was calling the real iptables during the
tests, and not just pretending or calling a fake binary like the normal
unittest test. I aborted it after a few minutes, because the extra
logging was taking a lot of time, but here is a sample:
17:12:30 TIME TIME(s) UID PCOMM PID PPID RET ARGS
17:12:30 1.962 0 iptables 28768 28767 0 /usr/sbin/iptables
--version
17:12:30 1.964 0 iptables 28773 28772 0 /usr/sbin/iptables
--version
17:12:30 2.002 0 iptables 28817 28816 0 /usr/sbin/iptables -V
17:12:30 2.203 0 iptables 29060 29059 0 /usr/sbin/iptables -V
17:12:30 2.205 0 ip6tables 29062 29061 0 /sbin/ip6tables -L
INPUT -n
17:12:30 2.205 0 iptables 29063 29061 0 /sbin/iptables -F
ufw-logging-deny
17:12:30 2.206 0 iptables 29064 29061 0 /sbin/iptables -F
ufw-logging-allow
(...)
17:12:30 2.552 0 iptables 29371 29225 0 /usr/sbin/iptables -D
ufw-user-logging-forward -j RETURN
17:12:30 2.553 0 iptables 29372 29225 0 /usr/sbin/iptables -A
ufw-after-logging-input -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min
--limit-burst 10
17:12:30 2.553 0 iptables 29373 29225 0 /usr/sbin/iptables -A
ufw-after-logging-forward -j LOG --log-prefix [UFW BLOCK] -m limit --limit
3/min --limit-burst 10
17:12:30 2.554 0 iptables 29374 29225 0 /usr/sbin/iptables -I
ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit
3/min --limit-burst 10
17:12:30 2.555 0 iptables 29375 29225 0 /usr/sbin/iptables -A
ufw-logging-deny -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min
--limit-burst 10
17:12:30 2.555 0 iptables 29376 29225 0 /usr/sbin/iptables -A
ufw-logging-allow -j LOG --log-prefix [UFW ALLOW] -m limit --limit 3/min
--limit-burst 10
17:12:30 2.556 0 iptables 29377 29225 0 /usr/sbin/iptables -D
ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:30 2.557 0 iptables 29378 29225 0 /usr/sbin/iptables -I
ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:31 2.601 0 iptables 29380 29379 0 /usr/sbin/iptables -V
17:12:31 2.609 0 iptables 29383 29057 0 /usr/sbin/iptables -L
-n
(...)
# grep iptables d-t-root-unittest.log |wc -l
9389
All these while iptables from jammy-proposed was installed:
# apt-cache policy iptables
iptables:
Installed: 1.8.7-1ubuntu5.1
Candidate: 1.8.7-1ubuntu5.1
Version table:
*** 1.8.7-1ubuntu5.1 500
500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64
Packages
With that in mind, let's confirm that the ufw dep8 tests ran with the iptables
package from proposed for each ubuntu release:
# Kinetic
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/kinetic/update_excuses.yaml.xz
ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-
kinetic/kinetic/amd64/u/ufw/20230515_201517_324f0@/log.gz
iptables from kinetic-proposed:
$ zgrep kinetic-proposed/main.*iptables log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu kinetic-proposed/main amd64 iptables
amd64 1.8.7-1ubuntu6.1 [454 kB]
root-unittest passed:
$ zgrep ^root-unittest kinetic-log.gz
root-unittest PASS
root-unittest PASS
# Jammy
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.yaml.xz
ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-
jammy/jammy/amd64/u/ufw/20230516_174358_f55b2@/log.gz
iptables from jammy-proposed:
$ zgrep jammy-proposed/main.*iptables jammy-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu jammy-proposed/main amd64 iptables amd64
1.8.7-1ubuntu5.1 [455 kB]
root-unittest passed:
$ zgrep ^root-unittest jammy-log.gz
root-unittest PASS
root-unittest PASS
# focal
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/focal/update_excuses.yaml.xz
ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-
focal/focal/amd64/u/ufw/20230518_023831_3747d@/log.gz
iptables from focal-proposed:
$ zgrep focal-proposed/main.*iptables focal-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu focal-proposed/main amd64 iptables amd64
1.8.4-3ubuntu2.1 [390 kB]
root-unittest passed:
$ zgrep ^root-unittest focal-log.gz
root-unittest PASS
root-unittest PASS
# bionic
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/bionic/update_excuses.yaml.xz
There is no ufw run for bionic (my luck). So let's pick something else.
I thought about checking the docker.io DEP8 tests, since docker does use
iptables to setup networking.
Turns out just by installing docker.io it already calls iptables multiple times
via the service restart it does in postinst:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu bionic-updates/universe amd64
docker.io amd64 20.10.21-0ubuntu1~18.04.3 [30.3 MB]
Fetched 30.3 MB in 1s (33.3 MB/s)
Preconfiguring packages ...
(Reading database ... 86244 files and directories currently installed.)
Preparing to unpack .../docker.io_20.10.21-0ubuntu1~18.04.3_amd64.deb ...
Unpacking docker.io (20.10.21-0ubuntu1~18.04.3) over
(20.10.21-0ubuntu1~18.04.3) ...
Setting up docker.io (20.10.21-0ubuntu1~18.04.3) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
And execsnoop on bionic:
root@b-ipt:~# execsnoop-bpfcc -n tables
PCOMM PID PPID RET ARGS
iptables 28557 28524 0 /sbin/iptables --wait -t nat -L -n
iptables 28561 28524 0 /sbin/iptables --wait -L -n
iptables 28562 28524 0 /sbin/iptables --version
iptables 28563 28524 0 /sbin/iptables --wait -t filter -C FORWARD
-j DOCKER-ISOLATION
iptables 28564 28524 0 /sbin/iptables --wait -t nat -D PREROUTING
-m addrtype --dst-type LOCAL -j DOCKER
iptables 28566 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m
addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
iptables 28567 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m
addrtype --dst-type LOCAL -j DOCKER
(...)
ubuntu@b-ipt:~$ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
69b1780a684a bridge bridge local
77b64dbf809d host host local
bb18e7f881ed none null local
And that was using the proposed version of iptables:
$ apt-cache policy iptables
iptables:
Installed: 1.6.1-2ubuntu2.1
Candidate: 1.6.1-2ubuntu2.1
Version table:
*** 1.6.1-2ubuntu2.1 500
500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64
Packages
So this, plus the fact that the docker.io DEP8 tests passed on bionic
too, should be good for bionic.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1992454
Title:
iptables: segfault when renaming a chain
Status in iptables package in Ubuntu:
Fix Released
Status in iptables source package in Bionic:
Fix Committed
Status in iptables source package in Focal:
Fix Committed
Status in iptables source package in Jammy:
Fix Committed
Status in iptables source package in Kinetic:
Fix Committed
Bug description:
[ Impact ]
* An explanation of the effects of the bug on users
This is the description for the upstream fix of this bug[1] :
This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer.
* justification for backporting the fix to the stable release.
Without this patch, users may experience segmentation fault when using
the following versions of iptables :
- Bionic : iptables
- Focal : iptables
- Jammy : iptables-legacy
- Kinetic: iptables-legacy
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
The upstream fix adjust the size of the chain_index if the element is the
last chain in the list.
[1]
http://git.netfilter.org/iptables/commit/?id=97bf4e68fc0794adba3243fd96f40f4568e7216f
[ Test Plan ]
* detailed instructions how to reproduce the bug
The following code (adapted from the upstream commit to work on Kinetic) may
be used to reproduce the issue :
----------------------------------------8<--------------------------------
#!/bin/bash
#
# Cover for a bug in libiptc:
# - the chain 'node-98-tmp' is the last in the list sorted by name
# - there are 81 chains in total, so three chain index buckets
# - the last index bucket contains only the 'node-98-tmp' chain
# => rename temporarily removes it from the bucket, leaving a NULL bucket
# behind which is dereferenced later when inserting the chain again with new
# name again
(
echo "*filter"
for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11
node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20
node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30
node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41
node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50
node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60
node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70
node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9
node-92 node-93 node-95 node-98-tmp; do
echo ":$chain - [0:0]"
done
echo "COMMIT"
) | $XT_MULTI iptables-legacy-restore
$XT_MULTI iptables-legacy -E node-98-tmp node-98
exit $?
---------------------------------------->8--------------------------------
Alternatively, this test has been added to the DEP8 list of tests, and
will be executed automatically once the package is accepted into
proposed. The DEP8 logs can be inspected for its run. Look for a test
named "0006rename-segfault".
[ Where problems could occur ]
For Jammy and onward, only users of the -legacy commands may be affected.
Since Jammy, iptables uses the new nft libraries which are not affected
by the bug.
For Bionic and Focal users, the regular iptables command is affected by
the change.
As stated in the manpage :
E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name.
This is cosmetic, and has no effect on the structure of the table.
In case of a problem, only the modification of the name would be affected
as this is clearly outlined as a cosmetic only change.
[ Other Info ]
The patch is also applied to lunar and mantic, but is fixed in upstream's
1.8.9 release which so far is only in debian testing/unstable.
This is being uploaded together with test fixes from bug #1992454
(bionic-specific) and bug #2019023 (focal-specific), which were found
and fixed while trying out the DEP8 runs for this package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1992454/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
