Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel

2023-05-10 Thread Axel Beckert
Control: tag -1 + patch pending

Hi Andreas,

Axel Beckert wrote:
> Looking through upstream's commits, I suspect cherrypicking this
> upstream commit might fix it:
> 
> https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233

Yep, cherry-picking that one fixed it. Looks like  a regression
introduced by 6a55739a ("Fix build on v5.15 (ct_event)") which I
cherry-picked in 2.6-3.

So thanks again for the report. Upload should happen in the next few
hours.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE



Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel

2023-05-10 Thread Axel Beckert
Hi Andreas,

Andreas Beckmann wrote:
> On 10/05/2023 16.32, Axel Beckert wrote:
> > BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as
> > it's likely much simpler to implement and its impact is more clear,
> > but not necessarily "smaller". Currently trying to figure out how it
> > actually works.
> 
> its a regex, like (untested):
> # 6.1+
> BUILD_EXCLUSIVE_KERNEL="([7-9]|6\.[1-9]|6\.[1-9][0-9])\..*"

Thanks for the prompt and helpful reply!

> > > this will be easier from bookworm+1 onwards).
> > 
> > Ok. Well, I'll see.
> 
> BUILD_EXCLUSIVE_KERNEL_MIN="6.1"

Indeed easier. :-)

> My preference would be to fix the module to build with the bullseye
> kernel,

Thanks for that comment as well.

> Whenever that breaks again after an update to the kernel in
> bullseye, it probably breaks the module in bullseye, too.

Chances are there, but at least this breakage doesn't seem to have
happend in Bullseye.

Looking through upstream's commits, I suspect cherrypicking this
upstream commit might fix it:

https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233

commit 0901f028617acca350132a65293ab80a480bf233
Author: Vadim Fedorenko 
Date:   Mon Mar 28 21:59:10 2022 +0300

fix building on old kernels

Link: https://github.com/aabc/ipt-netflow/pull/196

diff --git a/compat.h b/compat.h
index 6be9d6b..847117f 100644
--- a/compat.h
+++ b/compat.h
@@ -782,7 +782,14 @@ struct module *find_module(const char *name)
 #endif
 
 #ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT
+/*
+ * nat event callback parameter is constified in 5.15+
+ * but it prevents module building with previous kernel versions
+ */
+# define NF_CT_EVENT struct nf_ct_event
 # define ct_event fcn
+#else
+# define NF_CT_EVENT const struct nf_ct_event
 #endif
 
 #endif /* COMPAT_NETFLOW_H */
diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
index e042fe6..82805bc 100644
--- a/ipt_NETFLOW.c
+++ b/ipt_NETFLOW.c
@@ -4597,7 +4597,7 @@ static void rate_timer_calc(
 #ifdef CONFIG_NF_NAT_NEEDED
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
 static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL;
-static int netflow_conntrack_event(const unsigned int events, const struct 
nf_ct_event *item)
+static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT 
*item)
 #else
 static int netflow_conntrack_event(struct notifier_block *this, unsigned long 
events, void *ptr)
 #endif

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE



Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel

2023-05-10 Thread Andreas Beckmann

On 10/05/2023 16.32, Axel Beckert wrote:

BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as
it's likely much simpler to implement and its impact is more clear,
but not necessarily "smaller". Currently trying to figure out how it
actually works.


its a regex, like (untested):
# 6.1+
BUILD_EXCLUSIVE_KERNEL="([7-9]|6\.[1-9]|6\.[1-9][0-9])\..*"


this will be easier from bookworm+1 onwards).


Ok. Well, I'll see.


BUILD_EXCLUSIVE_KERNEL_MIN="6.1"


My preference would be to fix the module to build with the bullseye 
kernel, too. Whenever that breaks again after an update to the kernel in 
bullseye, it probably breaks the module in bullseye, too.



Andreas



Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel

2023-05-10 Thread Axel Beckert
Hi Andreas,

thanks for the bug report. Actually I do have a Bookworm system
already running with iptables-netflow-dkms, but it was a fresh
installation on new hardware.

Andreas Beckmann wrote:
> during a test with piuparts I noticed your package fails to upgrade from
> 'bullseye'.
> It installed fine in 'bullseye' (with linux-headers-amd64
> installed),

Just for clarification: "It" means that the version from bullseye
installed fine on bullseye. From the log you attached:

  Unpacking iptables-netflow-dkms (2.6-3.1) over (2.5.1-2) ...

>   Setting up iptables-netflow-dkms (2.6-3.1) ...
>   Loading new ipt-netflow-2.6 DKMS files...
>   It is likely that 5.10.28 belongs to a chroot's host
>   Building for 5.10.0-22-amd64 and 6.1.0-7-amd64
>   Building initial module for 5.10.0-22-amd64
>   Error! Bad return status for module build on kernel: 5.10.0-22-amd64 
> (x86_64)
>   Consult /var/lib/dkms/ipt-netflow/2.6/build/make.log for more information.
>   dpkg: error processing package iptables-netflow-dkms (--configure):
>installed iptables-netflow-dkms package post-installation script 
> subprocess returned error exit status 10

This is probably because of some backported fixes to kernel security
updates in bullseye which ipt_NETFLOW upstream didn't expect to
already see in that seemingly older kernel version. Happened in the
past and will likely happen again over time. :-/

Generally I see two ways to fix this, with both having pros and cons:

* Restrict module to kernel ≥ 6.1. Disadvantage: Will refuse to work
  with older, locally compiled kernels even if it would work.

  Advantage: Will still work for late upgrades even if the Bullseye
  kernel gets another backported fix which then will make the upgrade
  fail in the same way again.

* Fix the build by probably updating versions in some of the #ifdefs
  in the code which try to decide on the right kernel API.

  Advantage: Will also work for those who need older kernels (even if
  only for a while).

  Disadvantage: Might break again on future backported kernel fixes in
  Bullseye.

> As during the upgrade phase it is very likely that both the old and new
> kernel and their headers are installed, the dkms module should be able
> to build for both kernel versions (or use some BUILD_EXCLUSIVE_*
> settings to exclude unsupported versions,

BUILD_EXCLUSIVE_* would be my currently slightly preferred approach as
it's likely much simpler to implement and its impact is more clear,
but not necessarily "smaller". Currently trying to figure out how it
actually works.

> this will be easier from bookworm+1 onwards).

Ok. Well, I'll see.

> /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 'nf_seq_show':
> /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:39: warning: format 
> '%lu' expects argument of type 'long unsigned int', but argument 3 has type 
> 's64' {aka 'long long int'} [-Wformat=]
>   762 |seq_printf(seq, " Flows selected %lu, discarded %lu.",
>   | ~~^
>   |   |
>   |   long unsigned int
>   | %llu
> /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:54: warning: format 
> '%lu' expects argument of type 'long unsigned int', but argument 4 has type 
> 's64' {aka 'long long int'} [-Wformat=]
>   762 |seq_printf(seq, " Flows selected %lu, discarded %lu.",
>   |~~^
>   |  |
>   |  long unsigned int
>   |%llu
> /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:766:39: warning: format 
> '%lu' expects argument of type 'long unsigned int', but argument 3 has type 
> 's64' {aka 'long long int'} [-Wformat=]
>   766 |seq_printf(seq, " Flows selected %lu.", 
> atomic64_read(_selected));
>   | ~~^
>   |   |
>   |   long unsigned int
>   | %llu

At least these warnings look familiar. I think I also saw them when I
tried to compile it against kernel 6.3.1 in experimental (which also
failed).

Anyway, working on it now. Not yet sure which way I'll go, but
restricting it to only Bookworm's kernel (or newer) seems to be the
safest way to reduce the amount of fallout with older kernels as well
as the probably easier way.

(I deliberately didn't write "with less impact" as the impact IMHO
isn't comparable that well: It either _immediately_ affects quite a
large set of non-bookworm kernels, or it _may_ affect some future
kernels at some point in the future and _might_ cause a very similar
issue for late upgraders again. Not sure if any of that makes any of
the two solutions "the better one", but I 

Bug#1035511: iptables-netflow-dkms: fails to upgrade from bullseye: fails to build a module for the bullseye kernel

2023-05-04 Thread Andreas Beckmann
Package: iptables-netflow-dkms
Version: 2.6-3.1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'bullseye'.
It installed fine in 'bullseye' (with linux-headers-amd64 installed),
then the upgrade to 'bullseye' fails.

>From the attached log (scroll to the bottom...):

  Setting up iptables-netflow-dkms (2.6-3.1) ...
  Loading new ipt-netflow-2.6 DKMS files...
  It is likely that 5.10.28 belongs to a chroot's host
  Building for 5.10.0-22-amd64 and 6.1.0-7-amd64
  Building initial module for 5.10.0-22-amd64
  Error! Bad return status for module build on kernel: 5.10.0-22-amd64 (x86_64)
  Consult /var/lib/dkms/ipt-netflow/2.6/build/make.log for more information.
  dpkg: error processing package iptables-netflow-dkms (--configure):
   installed iptables-netflow-dkms package post-installation script subprocess 
returned error exit status 10

As during the upgrade phase it is very likely that both the old and new
kernel and their headers are installed, the dkms module should be able
to build for both kernel versions (or use some BUILD_EXCLUSIVE_*
settings to exclude unsupported versions, this will be easier from
bookworm+1 onwards).

The dkms.log says:

DKMS make.log for ipt-netflow-2.6 for kernel 5.10.0-22-amd64 (x86_64)
Thu May  4 11:57:32 UTC 2023
./gen_compat_def > compat_def.h
Test symbol xt_family linux/netfilter_ipv4/ip_tables.h  declared
Test struct timeval linux/ktime.h  undeclared
Test struct proc_ops linux/proc_fs.h  declared
Test symbol synchronize_sched linux/rcupdate.h  undeclared
Test symbol nf_bridge_info_get linux/netfilter_bridge.h  declared
Test struct vlan_dev_priv linux/if_vlan.h  declared
Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h  
undeclared
Compiling 2.6 for kernel 5.10.178
make -C /lib/modules/5.10.0-22-amd64/build 
M=/var/lib/dkms/ipt-netflow/2.6/build modules
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make 
rule.
make[1]: Entering directory '/usr/src/linux-headers-5.10.0-22-amd64'
  CC [M]  /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.o
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:96:4: warning: #warning 
"Requested physdev is not compiled." [-Wcpp]
   96 | #  warning "Requested physdev is not compiled."
  |^~~
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 'nf_seq_show':
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:39: warning: format '%lu' 
expects argument of type 'long unsigned int', but argument 3 has type 's64' 
{aka 'long long int'} [-Wformat=]
  762 |seq_printf(seq, " Flows selected %lu, discarded %lu.",
  | ~~^
  |   |
  |   long unsigned int
  | %llu
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:54: warning: format '%lu' 
expects argument of type 'long unsigned int', but argument 4 has type 's64' 
{aka 'long long int'} [-Wformat=]
  762 |seq_printf(seq, " Flows selected %lu, discarded %lu.",
  |~~^
  |  |
  |  long unsigned int
  |%llu
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:766:39: warning: format '%lu' 
expects argument of type 'long unsigned int', but argument 3 has type 's64' 
{aka 'long long int'} [-Wformat=]
  766 |seq_printf(seq, " Flows selected %lu.", 
atomic64_read(_selected));
  | ~~^
  |   |
  |   long unsigned int
  | %llu
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function 
'netflow_conntrack_event':
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4622:36: warning: passing 
argument 2 of 'notifier->fcn' discards 'const' qualifier from pointer target 
type [-Wdiscarded-qualifiers]
 4622 |   ret = notifier->ct_event(events, item);
  |^~~~
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4622:36: note: expected 
'struct nf_ct_event *' but argument is of type 'const struct nf_ct_event *'
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: At top level:
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4687:14: error: 
initialization of 'int (*)(unsigned int,  struct nf_ct_event *)' from 
incompatible pointer type 'int (*)(const unsigned int,  const struct 
nf_ct_event *)' [-Werror=incompatible-pointer-types]
 4687 |  .ct_event = netflow_conntrack_event
  |  ^~~
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4687:14: note: (near 
initialization for 'ctnl_notifier.fcn')
cc1: some warnings being treated as