Bug#1060342: Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug")

2024-01-11 Thread Michael Biebl 

Am 10.01.24 um 18:39 schrieb Jeremy Sowden:

On 2024-01-09, at 21:55:13 +0100, Michael Biebl wrote:



Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.

If you are busy, I can offer to NMU.


I'll take care of it.


Great, thanks!

Michael



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1060342: Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug")

2024-01-10 Thread Jeremy Sowden 
On 2024-01-09, at 21:55:13 +0100, Michael Biebl wrote:
> Package: iptables
> Version: 1.8.10-1
> Severity: normal
> Tags: patch
> 
> 
> Hi,
> 
> firewalld fails to work with the current version of iptables in Debian.
> This is exemplified by the autopkgtest which recently has been made
> available in Debian (thanks elbrus):
> https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/
> 
> After contacting firewalld upstream in
> https://github.com/firewalld/firewalld/issues/1268
> 
> it turns out this issue has already been fixed in 
> etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
> noflush restore bug").
> 
> Cherry-picking this commit for iptables, makes the firewalld test suite
> pass. I'm attaching the commit as patch file.
> 
> If you are busy, I can offer to NMU.

I'll take care of it.

J.


signature.asc
Description: PGP signature

Bug#1060342: Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug")

2024-01-09 Thread Michael Biebl 
Package: iptables
Version: 1.8.10-1
Severity: normal
Tags: patch


Hi,

firewalld fails to work with the current version of iptables in Debian.
This is exemplified by the autopkgtest which recently has been made
available in Debian (thanks elbrus):
https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/

After contacting firewalld upstream in
https://github.com/firewalld/firewalld/issues/1268

it turns out this issue has already been fixed in 
etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
noflush restore bug").

Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.

If you are busy, I can offer to NMU.

Regards,
Michael


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc62.37-13
ii  libip4tc21.8.10-1
ii  libip6tc21.8.10-1
ii  libmnl0  1.0.5-2
ii  libnetfilter-conntrack3  1.0.9-6
ii  libnfnetlink01.0.2-2
ii  libnftnl11   1.2.6-2
ii  libxtables12 1.8.10-1
ii  netbase  6.4

Versions of packages iptables recommends:
ii  nftables  1.0.9-1+b2

Versions of packages iptables suggests:
ii  firewalld  2.1.0-1
ii  kmod   31-1

-- no debconf information
commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter 
Date:   Tue Nov 7 19:12:14 2023 +0100

ebtables: Fix corner-case noflush restore bug

Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.

Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver 
Signed-off-by: Phil Sutter 

diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 
b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index ..0def0ac5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching 
bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+   ;;
+*)
+   echo "skip $XT_MULTI"
+   exit 0
+   ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <