Your message dated Thu, 15 Nov 2018 11:51:02 +0000 with message-id <[email protected]> and subject line Bug#913088: fixed in iptables 1.8.2-1 has caused the Debian Bug report #913088, regarding iptables: nftables layer breaks rule parameter -f , --fragment to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 913088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913088 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: iptables Version: 1.8.1-2 Severity: grave Justification: renders package unusable Dear Maintainer, installing and activating arno-iptables-firewall today resulted in blocking any outgoing network traffic. Investigations showed that the -f parameter is interpreted differently with iptables in comparison to iptables-legacy. iptables-legacy behaves like described in the man page and how iptables 1.6.0+snapshot20161117-6 from stretch behaves: -f, --fragment This means that the rule only refers to second and further IPv4 fragments of fragmented packets. iptables 1.8.1-2 in contrast seems to interpret -f as 'Apply this rule to all packages with the Don't Fragment Flag set. Proof: # Test with no rules # iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT # Warning: iptables-legacy tables present, use iptables-legacy to see them # iptables-legacy -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT # Ping with set Don't Fragment Flag works # LANG=C ping -c1 -Mdo 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. 64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.16 ms --- 192.168.0.28 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.158/4.158/4.158/0.000 ms # Ping with cleared Don't Fragment Flag works # LANG=C ping -c1 -Mdont 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. 64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=3.98 ms --- 192.168.0.28 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.975/3.975/3.975/0.000 ms # Test with rule meant to drop second and further fragments # iptables -A OUTPUT -f -j DROP # iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -A OUTPUT -f -j DROP # Warning: iptables-legacy tables present, use iptables-legacy to see them # iptables-legacy -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT # Ping with set Don't Fragment Flag DOES NOT work # LANG=C ping -c1 -Mdo 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. ping: sendmsg: Operation not permitted --- 192.168.0.28 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms # Ping with cleared Don't Fragment Flag works # LANG=C ping -c1 -Mdont 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. 64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.56 ms --- 192.168.0.28 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.563/4.563/4.563/0.000 ms # Test with iptables-legacy and rule meant to drop second and further fragments # iptables -F # iptables-legacy -F # iptables-legacy -A OUTPUT -f -j DROP # iptables-legacy -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A OUTPUT -f -j DROP # Ping with set Don't Fragment Flag works # LANG=C ping -c1 -Mdo 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. 64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.09 ms --- 192.168.0.28 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.091/4.091/4.091/0.000 ms # Ping with cleared Don't Fragment Flag works # LANG=C ping -c1 -Mdont 192.168.0.28 PING 192.168.0.28 (192.168.0.28) 56(84) bytes of data. 64 bytes from 192.168.0.28: icmp_seq=1 ttl=64 time=4.18 ms --- 192.168.0.28 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.179/4.179/4.179/0.000 ms As most if not all network packets are sent with set Don't Fragment Flag a rule using the -f parameter effectively blocks any network traffic. The current behavior renders a firewall like arno-iptables-firewall unusable. Regards, Sven -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc6 2.27-8 ii libip4tc0 1.8.1-2 ii libip6tc0 1.8.1-2 ii libiptc0 1.8.1-2 ii libmnl0 1.0.4-2 ii libnetfilter-conntrack3 1.0.7-1 ii libnfnetlink0 1.0.1-3+b1 ii libnftnl7 1.1.1-1 ii libxtables12 1.8.1-2 iptables recommends no packages. Versions of packages iptables suggests: ii kmod 25-1 -- no debconf information
--- End Message ---
--- Begin Message ---Source: iptables Source-Version: 1.8.2-1 We believe that the bug you reported is fixed in the latest version of iptables, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Arturo Borrero Gonzalez <[email protected]> (supplier of updated iptables package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 15 Nov 2018 12:33:36 +0100 Source: iptables Binary: iptables iptables-dev libxtables12 libxtables-dev libiptc0 libiptc-dev libip4tc0 libip4tc-dev libip6tc0 libip6tc-dev Architecture: source Version: 1.8.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Netfilter Packaging Team <[email protected]> Changed-By: Arturo Borrero Gonzalez <[email protected]> Description: iptables - administration tools for packet filtering and NAT iptables-dev - transitional dummy package libip4tc-dev - Development files for libip4tc libip4tc0 - netfilter libip4tc library libip6tc-dev - Development files for libip6tc libip6tc0 - netfilter libip6tc library libiptc-dev - Development files for libiptc libiptc0 - netfilter libiptc library libxtables-dev - netfilter xtables library -- development files libxtables12 - netfilter xtables library Closes: 816087 911899 912607 912610 912981 913088 913114 913742 Changes: iptables (1.8.2-1) unstable; urgency=medium . * This upstream release closes several bugs: Closes: #913742 Closes: #913114 Closes: #816087 Closes: #913088 Closes: #912607 Closes: #912610 * [0309474] New upstream version 1.8.2 * [5d3a638] d/t/control: replace compat names with nft ones * [31d2d6e] d/NEWS: fix typos (Closes: #912981) * [b24cf92] iptables: don't ship paths served by update-alternatives (Closes: #911899) * [f5ec47b] d/patches: cherry-pick format-security_fixes_in_libip[6]t_icmp.patch * [2017f99] d/libxtables12.symbols: add new symbols Checksums-Sha1: 9bcfcdd9f0979d0db68caa4942dac4919b58b913 2699 iptables_1.8.2-1.dsc 215c4ef4c6cd29ef0dd265b4fa5ec51a4f930c92 679858 iptables_1.8.2.orig.tar.bz2 4fc5f0f79a1b1c5b1a231a5a4da2c36e3ea2f848 64348 iptables_1.8.2-1.debian.tar.xz 1970a72fd294c8f9826f0e7231d799c188b75f02 9036 iptables_1.8.2-1_amd64.buildinfo Checksums-Sha256: 24d39c7cd9e9536c7e65b76c7e283d109684c4f25c9eefbc22be581a342f4cc9 2699 iptables_1.8.2-1.dsc a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af 679858 iptables_1.8.2.orig.tar.bz2 52eca8f1ea202addf1c53b77110031155cdc661abe72ba7400b6b6c0914d9044 64348 iptables_1.8.2-1.debian.tar.xz 84b1a46d35503ec0b35e33aed7c5c0767007885757bdb7c1ba0bf30825e2e570 9036 iptables_1.8.2-1_amd64.buildinfo Files: af84c8d6866471a46b1e9a8ea67c0204 2699 net important iptables_1.8.2-1.dsc 944558e88ddcc3b9b0d9550070fa3599 679858 net important iptables_1.8.2.orig.tar.bz2 01ce00c6a90f4683fde2447947a00de4 64348 net important iptables_1.8.2-1.debian.tar.xz 0b6c0a4c65796c6067dc46f79e371d8f 9036 net important iptables_1.8.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAlvtWgkACgkQaOcTmB0V Ffh8dQ//f0jy2uG/nDt74GuHC4nT92YgDv/Ouu6TqpWJoElJbGW0gm6FblXrUNOC uMqlWhD7Pa+UgmRCW0d8OYv3sc1l20kpixjNAD1yweWOHkLP4lcrh5wnOJh2RH0k cW15DeIv6vGWb5oMiarM7jBd9h48X4Yz1Ko3pn86VIO5VDsO5tKpgkEscDc9Wz29 VOiY2zrggG7aDZFNMUYuJgCjUU0Uoyx/bv+vyeTd88wmjF+jlKY9fJORxXdiNzRv phMxzpooVm4oYbk68/ric6l5uAB/alNgwCnH3acEeCupiSuUYtShOsmqRD26lraq F87Lm6+mQ1Oz1dGw2L6DtBUBDGbzR7NGUgfCu/24BodJZfx/ldkyPLjyXy3aiu31 eSIt4YhiyCfY8u/lHJEdMh4HmGJmSRgU7+kwyhF715EJIydCQ5JzFAS3DOiVWPGU nkUHuiO/4C2NRt1HePTo8Vcju1bSlz5ZfEd0y84hHxzwcr7/fSMJLvzmGM9R1qkw uNpzXlvc5XSFEB2xZbKmISKwTPDZf6gY4pn39UZgm9LUHafbrtFPJlPpqngCdeLB Au136CXCbO4Qz3mfJqCYF+M7RsuIaGCtvTaW4WZIqShP/14dvgfSMUNP0RlIhys0 vmk5p+/K4JaztbNwwEeAbZXQFkFG0kaBJ7LM4455vx3onUQMQI0= =zTdU -----END PGP SIGNATURE-----
--- End Message ---
