Package: iptables Version: 1.8.10-1 Severity: normal Tags: patch
Hi, firewalld fails to work with the current version of iptables in Debian. This is exemplified by the autopkgtest which recently has been made available in Debian (thanks elbrus): https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/ After contacting firewalld upstream in https://github.com/firewalld/firewalld/issues/1268 it turns out this issue has already been fixed in etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case noflush restore bug"). Cherry-picking this commit for iptables, makes the firewalld test suite pass. I'm attaching the commit as patch file. If you are busy, I can offer to NMU. Regards, Michael -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc6 2.37-13 ii libip4tc2 1.8.10-1 ii libip6tc2 1.8.10-1 ii libmnl0 1.0.5-2 ii libnetfilter-conntrack3 1.0.9-6 ii libnfnetlink0 1.0.2-2 ii libnftnl11 1.2.6-2 ii libxtables12 1.8.10-1 ii netbase 6.4 Versions of packages iptables recommends: ii nftables 1.0.9-1+b2 Versions of packages iptables suggests: ii firewalld 2.1.0-1 ii kmod 31-1 -- no debconf information
commit c1083acea70787eea3f7929fd04718434bb05ba8 Author: Phil Sutter <p...@nwl.cc> Date: Tue Nov 7 19:12:14 2023 +0100 ebtables: Fix corner-case noflush restore bug Report came from firwalld, but this is actually rather hard to trigger. Since a regular chain line prevents it, typical dump/restore use-cases are unaffected. Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") Cc: Eric Garver <e...@garver.life> Signed-off-by: Phil Sutter <p...@nwl.cc> diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 new file mode 100755 index 00000000..0def0ac5 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: +# - with --noflush +# - a second table after the broute one +# - A policy command but no chain line for BROUTING chain + +set -e + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +$XT_MULTI ebtables-restore --noflush <<EOF +*broute +-P BROUTING ACCEPT +*nat +-P PREROUTING ACCEPT +COMMIT +EOF diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 08eec79d..a8ad57c7 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain) return NF_BR_LOCAL_OUT; else if (strcmp(chain, "POSTROUTING") == 0) return NF_BR_POST_ROUTING; + else if (strcmp(chain, "BROUTING") == 0) + return NF_BR_BROUTING; /* placeholder for user defined chain */ return NF_BR_NUMHOOKS;