Package: iptables
Version: 1.8.10-1
Severity: normal
Tags: patch
Hi,
firewalld fails to work with the current version of iptables in Debian.
This is exemplified by the autopkgtest which recently has been made
available in Debian (thanks elbrus):
https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/
After contacting firewalld upstream in
https://github.com/firewalld/firewalld/issues/1268
it turns out this issue has already been fixed in
etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
noflush restore bug").
Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.
If you are busy, I can offer to NMU.
Regards,
Michael
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc62.37-13
ii libip4tc21.8.10-1
ii libip6tc21.8.10-1
ii libmnl0 1.0.5-2
ii libnetfilter-conntrack3 1.0.9-6
ii libnfnetlink01.0.2-2
ii libnftnl11 1.2.6-2
ii libxtables12 1.8.10-1
ii netbase 6.4
Versions of packages iptables recommends:
ii nftables 1.0.9-1+b2
Versions of packages iptables suggests:
ii firewalld 2.1.0-1
ii kmod 31-1
-- no debconf information
commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter
Date: Tue Nov 7 19:12:14 2023 +0100
ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver
Signed-off-by: Phil Sutter
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index ..0def0ac5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching
bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <