Public bug reported: The new nftables https://launchpad.net/ubuntu/+source/nftables/0.9.8-3 is stuck in proposed since it fails autopkgtest of firewalld https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64 https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in: ## ------------------------ ## ## Summary of the failures. ## ## ------------------------ ## Failed tests: firewalld 0.9.3 test suite test groups: NUM: FILE-NAME:LINE TEST-GROUP-NAME KEYWORDS 97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain nftables icmp 124: rhbz1855140.at:1 rich rule icmptypes with one family nftables rich icmp rhbz1855140 The upstream issue tracker https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen does not list those cases, but there is a new v9.4.0 that we might try. In Debian this isn't showing up https://ci.debian.net/packages/f/firewalld/ Because they are all Skipped for not having machine level isolation https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz In detail it seems there re two cases of expected-output-mismatch in #97: -icmp type destination-unreachable icmp code host-prohibited reject with icmpx type admin-prohibited +icmp code host-prohibited reject with icmpx type admin-prohibited in #124: -icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086 +icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086 Those look like they might have the same root cause. It seems that this is present for a while, this is nftables nftables/0.9.8-1 in Hirsute half a year ago. https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz before nftables 0.9.8 it worked on 0.9.7-1: https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20201101_064747_2b123@/log.gz With the right keywords I've found closed bugs in firewalld pointing to a nftables fix: - https://github.com/firewalld/firewalld/issues/752 (thanks Costamagna/Michael for filing) - https://marc.info/?l=netfilter-devel&m=161221629204555&w=2 <- supposed to be the fix The issue is locally reproducible in e.g. autopkgtest VM and thereby fixes can be tested the same way. ** Affects: firewalld (Ubuntu) Importance: Undecided Status: Invalid ** Affects: nftables (Ubuntu) Importance: Undecided Status: Triaged ** Tags: update-excuse ** Tags added: update-excuse ** Also affects: nftables (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1936902 Title: new nftables 0.9.8-3 breaks firewalld 0.9.3 autopkgtest To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1936902/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
