Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel
Control: tag -1 + patch pending Hi Andreas, Axel Beckert wrote: > Looking through upstream's commits, I suspect cherrypicking this > upstream commit might fix it: > > https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233 Yep, cherry-picking that one fixed it. Looks like a regression introduced by 6a55739a ("Fix build on v5.15 (ct_event)") which I cherry-picked in 2.6-3. So thanks again for the report. Upload should happen in the next few hours. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel
Hi Andreas, Andreas Beckmann wrote: > On 10/05/2023 16.32, Axel Beckert wrote: > > BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as > > it's likely much simpler to implement and its impact is more clear, > > but not necessarily "smaller". Currently trying to figure out how it > > actually works. > > its a regex, like (untested): > # 6.1+ > BUILD_EXCLUSIVE_KERNEL="([7-9]|6\.[1-9]|6\.[1-9][0-9])\..*" Thanks for the prompt and helpful reply! > > > this will be easier from bookworm+1 onwards). > > > > Ok. Well, I'll see. > > BUILD_EXCLUSIVE_KERNEL_MIN="6.1" Indeed easier. :-) > My preference would be to fix the module to build with the bullseye > kernel, Thanks for that comment as well. > Whenever that breaks again after an update to the kernel in > bullseye, it probably breaks the module in bullseye, too. Chances are there, but at least this breakage doesn't seem to have happend in Bullseye. Looking through upstream's commits, I suspect cherrypicking this upstream commit might fix it: https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233 commit 0901f028617acca350132a65293ab80a480bf233 Author: Vadim Fedorenko Date: Mon Mar 28 21:59:10 2022 +0300 fix building on old kernels Link: https://github.com/aabc/ipt-netflow/pull/196 diff --git a/compat.h b/compat.h index 6be9d6b..847117f 100644 --- a/compat.h +++ b/compat.h @@ -782,7 +782,14 @@ struct module *find_module(const char *name) #endif #ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT +/* + * nat event callback parameter is constified in 5.15+ + * but it prevents module building with previous kernel versions + */ +# define NF_CT_EVENT struct nf_ct_event # define ct_event fcn +#else +# define NF_CT_EVENT const struct nf_ct_event #endif #endif /* COMPAT_NETFLOW_H */ diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c index e042fe6..82805bc 100644 --- a/ipt_NETFLOW.c +++ b/ipt_NETFLOW.c @@ -4597,7 +4597,7 @@ static void rate_timer_calc( #ifdef CONFIG_NF_NAT_NEEDED #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31) static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL; -static int netflow_conntrack_event(const unsigned int events, const struct nf_ct_event *item) +static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT *item) #else static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr) #endif Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel
On 10/05/2023 16.32, Axel Beckert wrote: BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as it's likely much simpler to implement and its impact is more clear, but not necessarily "smaller". Currently trying to figure out how it actually works. its a regex, like (untested): # 6.1+ BUILD_EXCLUSIVE_KERNEL="([7-9]|6\.[1-9]|6\.[1-9][0-9])\..*" this will be easier from bookworm+1 onwards). Ok. Well, I'll see. BUILD_EXCLUSIVE_KERNEL_MIN="6.1" My preference would be to fix the module to build with the bullseye kernel, too. Whenever that breaks again after an update to the kernel in bullseye, it probably breaks the module in bullseye, too. Andreas
Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel
Hi Andreas, thanks for the bug report. Actually I do have a Bookworm system already running with iptables-netflow-dkms, but it was a fresh installation on new hardware. Andreas Beckmann wrote: > during a test with piuparts I noticed your package fails to upgrade from > 'bullseye'. > It installed fine in 'bullseye' (with linux-headers-amd64 > installed), Just for clarification: "It" means that the version from bullseye installed fine on bullseye. From the log you attached: Unpacking iptables-netflow-dkms (2.6-3.1) over (2.5.1-2) ... > Setting up iptables-netflow-dkms (2.6-3.1) ... > Loading new ipt-netflow-2.6 DKMS files... > It is likely that 5.10.28 belongs to a chroot's host > Building for 5.10.0-22-amd64 and 6.1.0-7-amd64 > Building initial module for 5.10.0-22-amd64 > Error! Bad return status for module build on kernel: 5.10.0-22-amd64 > (x86_64) > Consult /var/lib/dkms/ipt-netflow/2.6/build/make.log for more information. > dpkg: error processing package iptables-netflow-dkms (--configure): >installed iptables-netflow-dkms package post-installation script > subprocess returned error exit status 10 This is probably because of some backported fixes to kernel security updates in bullseye which ipt_NETFLOW upstream didn't expect to already see in that seemingly older kernel version. Happened in the past and will likely happen again over time. :-/ Generally I see two ways to fix this, with both having pros and cons: * Restrict module to kernel ≥ 6.1. Disadvantage: Will refuse to work with older, locally compiled kernels even if it would work. Advantage: Will still work for late upgrades even if the Bullseye kernel gets another backported fix which then will make the upgrade fail in the same way again. * Fix the build by probably updating versions in some of the #ifdefs in the code which try to decide on the right kernel API. Advantage: Will also work for those who need older kernels (even if only for a while). Disadvantage: Might break again on future backported kernel fixes in Bullseye. > As during the upgrade phase it is very likely that both the old and new > kernel and their headers are installed, the dkms module should be able > to build for both kernel versions (or use some BUILD_EXCLUSIVE_* > settings to exclude unsupported versions, BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as it's likely much simpler to implement and its impact is more clear, but not necessarily "smaller". Currently trying to figure out how it actually works. > this will be easier from bookworm+1 onwards). Ok. Well, I'll see. > /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 'nf_seq_show': > /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:39: warning: format > '%lu' expects argument of type 'long unsigned int', but argument 3 has type > 's64' {aka 'long long int'} [-Wformat=] > 762 |seq_printf(seq, " Flows selected %lu, discarded %lu.", > | ~~^ > | | > | long unsigned int > | %llu > /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:54: warning: format > '%lu' expects argument of type 'long unsigned int', but argument 4 has type > 's64' {aka 'long long int'} [-Wformat=] > 762 |seq_printf(seq, " Flows selected %lu, discarded %lu.", > |~~^ > | | > | long unsigned int > |%llu > /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:766:39: warning: format > '%lu' expects argument of type 'long unsigned int', but argument 3 has type > 's64' {aka 'long long int'} [-Wformat=] > 766 |seq_printf(seq, " Flows selected %lu.", > atomic64_read(_selected)); > | ~~^ > | | > | long unsigned int > | %llu At least these warnings look familiar. I think I also saw them when I tried to compile it against kernel 6.3.1 in experimental (which also failed). Anyway, working on it now. Not yet sure which way I'll go, but restricting it to only Bookworm's kernel (or newer) seems to be the safest way to reduce the amount of fallout with older kernels as well as the probably easier way. (I deliberately didn't write "with less impact" as the impact IMHO isn't comparable that well: It either _immediately_ affects quite a large set of non-bookworm kernels, or it _may_ affect some future kernels at some point in the future and _might_ cause a very similar issue for late upgraders again. Not sure if any of that makes any of the two solutions "the better one", but I
Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel
Package: iptables-netflow-dkms Version: 2.6-3.1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package fails to upgrade from 'bullseye'. It installed fine in 'bullseye' (with linux-headers-amd64 installed), then the upgrade to 'bullseye' fails. >From the attached log (scroll to the bottom...): Setting up iptables-netflow-dkms (2.6-3.1) ... Loading new ipt-netflow-2.6 DKMS files... It is likely that 5.10.28 belongs to a chroot's host Building for 5.10.0-22-amd64 and 6.1.0-7-amd64 Building initial module for 5.10.0-22-amd64 Error! Bad return status for module build on kernel: 5.10.0-22-amd64 (x86_64) Consult /var/lib/dkms/ipt-netflow/2.6/build/make.log for more information. dpkg: error processing package iptables-netflow-dkms (--configure): installed iptables-netflow-dkms package post-installation script subprocess returned error exit status 10 As during the upgrade phase it is very likely that both the old and new kernel and their headers are installed, the dkms module should be able to build for both kernel versions (or use some BUILD_EXCLUSIVE_* settings to exclude unsupported versions, this will be easier from bookworm+1 onwards). The dkms.log says: DKMS make.log for ipt-netflow-2.6 for kernel 5.10.0-22-amd64 (x86_64) Thu May 4 11:57:32 UTC 2023 ./gen_compat_def > compat_def.h Test symbol xt_family linux/netfilter_ipv4/ip_tables.h declared Test struct timeval linux/ktime.h undeclared Test struct proc_ops linux/proc_fs.h declared Test symbol synchronize_sched linux/rcupdate.h undeclared Test symbol nf_bridge_info_get linux/netfilter_bridge.h declared Test struct vlan_dev_priv linux/if_vlan.h declared Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h undeclared Compiling 2.6 for kernel 5.10.178 make -C /lib/modules/5.10.0-22-amd64/build M=/var/lib/dkms/ipt-netflow/2.6/build modules make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. make[1]: Entering directory '/usr/src/linux-headers-5.10.0-22-amd64' CC [M] /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.o /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:96:4: warning: #warning "Requested physdev is not compiled." [-Wcpp] 96 | # warning "Requested physdev is not compiled." |^~~ /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 'nf_seq_show': /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:39: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 's64' {aka 'long long int'} [-Wformat=] 762 |seq_printf(seq, " Flows selected %lu, discarded %lu.", | ~~^ | | | long unsigned int | %llu /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:54: warning: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 's64' {aka 'long long int'} [-Wformat=] 762 |seq_printf(seq, " Flows selected %lu, discarded %lu.", |~~^ | | | long unsigned int |%llu /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:766:39: warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 's64' {aka 'long long int'} [-Wformat=] 766 |seq_printf(seq, " Flows selected %lu.", atomic64_read(_selected)); | ~~^ | | | long unsigned int | %llu /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 'netflow_conntrack_event': /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4622:36: warning: passing argument 2 of 'notifier->fcn' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 4622 | ret = notifier->ct_event(events, item); |^~~~ /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4622:36: note: expected 'struct nf_ct_event *' but argument is of type 'const struct nf_ct_event *' /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: At top level: /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4687:14: error: initialization of 'int (*)(unsigned int, struct nf_ct_event *)' from incompatible pointer type 'int (*)(const unsigned int, const struct nf_ct_event *)' [-Werror=incompatible-pointer-types] 4687 | .ct_event = netflow_conntrack_event | ^~~ /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4687:14: note: (near initialization for 'ctnl_notifier.fcn') cc1: some warnings being treated as