Fail #2 - stdout mismatch
# -*- compilation -*-
124. rhbz1855140.at:1: testing rich rule icmptypes with one family ...
./rhbz1855140.at:1: if ! cp "${FIREWALLD_DEFAULT_CONFIG}/firewalld.conf"
./firewalld.conf; then exit 77; fi
./rhbz1855140.at:1: sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/'
./firewalld.conf
./rhbz1855140.at:1: sed -i 's/^FirewallBackend.*/FirewallBackend=nftables/'
./firewalld.conf
./rhbz1855140.at:1: ip netns add fwd-test-${at_group_normalized}
./rhbz1855140.at:1: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} nft -f ./nft_rule_index.nft
./rhbz1855140.at:1: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} rm ./nft_rule_index.nft
./rhbz1855140.at:1: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} nft delete table inet
firewalld_check_rule_index
not running
running
./rhbz1855140.at:4: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd --permanent --zone
public --add-rich-rule='rule icmp-type name="echo-request" accept'
stdout:
success
./rhbz1855140.at:5: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd --permanent --zone
public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'
stdout:
success
./rhbz1855140.at:6: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd --permanent --zone
public --add-rich-rule='rule icmp-type name="timestamp-request" accept'
stdout:
success
./rhbz1855140.at:7: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd --permanent --zone
public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'
stdout:
success
./rhbz1855140.at:8: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd -q --reload
./rhbz1855140.at:8: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} firewall-cmd -q --state
./rhbz1855140.at:9: env
DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}"
ip netns exec fwd-test-${at_group_normalized} sh <<-"HERE"
{ { { { nft $NFT_NUMERIC_ARGS list chain inet firewalld
mangle_PRE_public_allow; echo $? >&3; } | sed -e 's/^[ \t]*//' -e 's/[
\t]*$//' | sed -e '/^[ \t]*$/d' | sed -e 's/[ \t]\+/ /g' | { printf "%s" "$(cat
/dev/stdin)"; echo; } | sed -e 's/meta mark/mark/g' -e
'/type.*hook.*priority.*policy.*/d' -e '/ct
\(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\([a-z]*\),
/\1,/g;}' >&4; } 3>&1; } | { read RC; exit $RC; } } 4>&1
HERE
--- - 2021-05-10 12:59:11.409337617 +0000
+++
/tmp/autopkgtest.b8ayAF/build.gyK/src/src/tests/testsuite.dir/at-groups/124/stdout
2021-05-10 12:59:11.402697416 +0000
@@ -1,6 +1,6 @@
table inet firewalld {
chain mangle_PRE_public_allow {
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086
^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
}
}
124. rhbz1855140.at:1: 124. rich rule icmptypes with one family
(rhbz1855140.at:1): FAILED (rhbz1855140.at:9)
** Description changed:
The new nftables
- https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
+ https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
is stuck in proposed since it fails autopkgtest of firewalld
- https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
-
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
- https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
-
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
+ https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
+
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
+ https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
+
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in:
## ------------------------ ##
## Summary of the failures. ##
## ------------------------ ##
Failed tests:
firewalld 0.9.3 test suite test groups:
- NUM: FILE-NAME:LINE TEST-GROUP-NAME
- KEYWORDS
+ NUM: FILE-NAME:LINE TEST-GROUP-NAME
+ KEYWORDS
- 97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
- nftables icmp
- 124: rhbz1855140.at:1 rich rule icmptypes with one family
- nftables rich icmp rhbz1855140
+ 97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
+ nftables icmp
+ 124: rhbz1855140.at:1 rich rule icmptypes with one family
+ nftables rich icmp rhbz1855140
The upstream issue tracker
- https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
+ https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
- https://ci.debian.net/packages/f/firewalld/
+ https://ci.debian.net/packages/f/firewalld/
Because they are all Skipped for not having machine level isolation
-
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
+
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
+
+ In detail it seems there re two cases of expected-output-mismatch
+ in #97:
+ -icmp type destination-unreachable icmp code host-prohibited reject with
icmpx type admin-prohibited
+ +icmp code host-prohibited reject with icmpx type admin-prohibited
+ in #124:
+ -icmpv6 type parameter-problem icmpv6 code no-route mark set mark &
0x00000086 ^ 0x00000086
+ +icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
+
+ Those look like they might have the same root cause.
Furthermore it is yet unclear if this is locally reproducible.
** Description changed:
The new nftables
https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
is stuck in proposed since it fails autopkgtest of firewalld
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in:
## ------------------------ ##
## Summary of the failures. ##
## ------------------------ ##
Failed tests:
firewalld 0.9.3 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
nftables icmp
124: rhbz1855140.at:1 rich rule icmptypes with one family
nftables rich icmp rhbz1855140
The upstream issue tracker
https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
https://ci.debian.net/packages/f/firewalld/
Because they are all Skipped for not having machine level isolation
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
+
In detail it seems there re two cases of expected-output-mismatch
in #97:
-icmp type destination-unreachable icmp code host-prohibited reject with
icmpx type admin-prohibited
+icmp code host-prohibited reject with icmpx type admin-prohibited
in #124:
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark &
0x00000086 ^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
Those look like they might have the same root cause.
- Furthermore it is yet unclear if this is locally reproducible.
+
+ It seems that this is present for a while, this is nftables nftables/0.9.8-1
in Hirsute half a year ago.
+
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz
+
+ before nftables 0.9.8 it worked on 0.9.7-1:
+
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20201101_064747_2b123@/log.gz
+
+ TODO:
+ - Furthermore it is yet unclear if this is locally reproducible.
+ - this is old enough someone else might have debugged this but missed to file
bugs?
** Description changed:
The new nftables
https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
is stuck in proposed since it fails autopkgtest of firewalld
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in:
## ------------------------ ##
## Summary of the failures. ##
## ------------------------ ##
Failed tests:
firewalld 0.9.3 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
nftables icmp
124: rhbz1855140.at:1 rich rule icmptypes with one family
nftables rich icmp rhbz1855140
The upstream issue tracker
https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
https://ci.debian.net/packages/f/firewalld/
Because they are all Skipped for not having machine level isolation
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
-
In detail it seems there re two cases of expected-output-mismatch
in #97:
-icmp type destination-unreachable icmp code host-prohibited reject with
icmpx type admin-prohibited
+icmp code host-prohibited reject with icmpx type admin-prohibited
in #124:
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark &
0x00000086 ^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
Those look like they might have the same root cause.
-
It seems that this is present for a while, this is nftables nftables/0.9.8-1
in Hirsute half a year ago.
-
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz
+
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz
before nftables 0.9.8 it worked on 0.9.7-1:
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20201101_064747_2b123@/log.gz
+ With the right keywords I've found closed bugs in firewalld pointing to a
nftables fix:
+ - https://github.com/firewalld/firewalld/issues/752 (thanks locutus for
filing)
+ - https://marc.info/?l=netfilter-devel&m=161221629204555&w=2 <- supposed to
be the fix
+
TODO:
- Furthermore it is yet unclear if this is locally reproducible.
- - this is old enough someone else might have debugged this but missed to file
bugs?
** Description changed:
The new nftables
https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
is stuck in proposed since it fails autopkgtest of firewalld
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in:
## ------------------------ ##
## Summary of the failures. ##
## ------------------------ ##
Failed tests:
firewalld 0.9.3 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
nftables icmp
124: rhbz1855140.at:1 rich rule icmptypes with one family
nftables rich icmp rhbz1855140
The upstream issue tracker
https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
https://ci.debian.net/packages/f/firewalld/
Because they are all Skipped for not having machine level isolation
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
In detail it seems there re two cases of expected-output-mismatch
in #97:
-icmp type destination-unreachable icmp code host-prohibited reject with
icmpx type admin-prohibited
+icmp code host-prohibited reject with icmpx type admin-prohibited
in #124:
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark &
0x00000086 ^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
Those look like they might have the same root cause.
It seems that this is present for a while, this is nftables nftables/0.9.8-1
in Hirsute half a year ago.
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz
before nftables 0.9.8 it worked on 0.9.7-1:
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20201101_064747_2b123@/log.gz
With the right keywords I've found closed bugs in firewalld pointing to a
nftables fix:
- https://github.com/firewalld/firewalld/issues/752 (thanks locutus for
filing)
- https://marc.info/?l=netfilter-devel&m=161221629204555&w=2 <- supposed to
be the fix
- TODO:
- - Furthermore it is yet unclear if this is locally reproducible.
+ The issue is locally reproducible in e.g. autopkgtest VM and thereby
+ fixes can be tested the same way.
** Description changed:
The new nftables
https://launchpad.net/ubuntu/+source/nftables/0.9.8-3
is stuck in proposed since it fails autopkgtest of firewalld
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/amd64
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
https://autopkgtest.ubuntu.com/packages/f/firewalld/impish/s390x
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/s390x/f/firewalld/20210510_131115_faeb7@/log.gz
It fails the same way across architectures in:
## ------------------------ ##
## Summary of the failures. ##
## ------------------------ ##
Failed tests:
firewalld 0.9.3 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
97: icmp_block_in_forward_chain.at:1 ICMP block present FORWARD chain
nftables icmp
124: rhbz1855140.at:1 rich rule icmptypes with one family
nftables rich icmp rhbz1855140
The upstream issue tracker
https://github.com/firewalld/firewalld/issues?q=is%3Aissue+is%3Aopen
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
https://ci.debian.net/packages/f/firewalld/
Because they are all Skipped for not having machine level isolation
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
In detail it seems there re two cases of expected-output-mismatch
in #97:
-icmp type destination-unreachable icmp code host-prohibited reject with
icmpx type admin-prohibited
+icmp code host-prohibited reject with icmpx type admin-prohibited
in #124:
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark &
0x00000086 ^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
Those look like they might have the same root cause.
It seems that this is present for a while, this is nftables nftables/0.9.8-1
in Hirsute half a year ago.
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20210118_230221_66bea@/log.gz
before nftables 0.9.8 it worked on 0.9.7-1:
https://autopkgtest.ubuntu.com/results/autopkgtest-hirsute/hirsute/amd64/f/firewalld/20201101_064747_2b123@/log.gz
With the right keywords I've found closed bugs in firewalld pointing to a
nftables fix:
- - https://github.com/firewalld/firewalld/issues/752 (thanks locutus for
filing)
+ - https://github.com/firewalld/firewalld/issues/752 (thanks
Costamagna/Michael for filing)
- https://marc.info/?l=netfilter-devel&m=161221629204555&w=2 <- supposed to
be the fix
The issue is locally reproducible in e.g. autopkgtest VM and thereby
fixes can be tested the same way.
** Changed in: nftables (Ubuntu)
Status: New => Triaged
** Changed in: firewalld (Ubuntu)
Status: New => Confirmed
** Changed in: firewalld (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1936902
Title:
new nftables 0.9.8-3 breaks firewalld 0.9.3 autopkgtest
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1936902/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
