Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694
Control: severity -1 important On 6/26/19 2:28 PM, Thomas Lamprecht wrote: > > Hmm, but that's a grave issue which may just render the firewall void > for _any_ intermediate chain and produces segmentation faults errors. > The issue you found is not a general-case issue. The segfault is only produced apparently if you: * define a custom chain * flush all rules of that custom chain (not required, because the chain was just created) * add a rule to that custom chain all in the same batch. I may understand that this is important for some scripts or robots making use of the iptables interface in that particular way, but is not the general case of how people define and add rules to custom chain/ruleset. Because of this, I think we should lower the severity of this bug. I understand is annoying in your use case, and I'm sorry for that. Thankfully, we already have an iptables version fixing the issue, but unfortunately it won't make it to Debian Buster in the first round as I already explained in my previous email. > How about a minimal patch which places higher update-alternative priority > to the the -legacy parts of iptables so that the alternative currently > working in Buster is used by default. Once the fixed nft based is rolled > out the priorities could then be switched again (or if that cannot be done > for a stable release, in Bullseye). > No, sorry, we won't do this at this point.
Processed: Re: [pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694
Processing control commands: > severity -1 important Bug #929527 [iptables] /usr/sbin/xtables-nft-multi: restoring IP Tables with an self-defined chain segfaults in libnftnl.so Severity set to 'important' from 'grave' -- 929527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#914694
On 6/26/19 2:14 PM, Arturo Borrero Gonzalez wrote: > On 6/25/19 10:25 AM, Thomas Lamprecht wrote: >> Don't want to nag to much but is there any news regarding this? >> Buster is planned to release pretty soon (<2 weeks) and iptables >> is quite a important package, IMO. Maybe it went under my radar >> but I saw no unblock request on d.o release list. >> >> For now I just used update-alternative to use the legacy variants, >> which work fine here, but if my understanding is correct then this >> package (version?) could be thrown out of Buster if it still has RC >> bug so close to the planned release, I mean iptables may be an >> exception as it's quite relevant and still used by a lot but still. >> > > The last upstream release of iptables won't make it into Debian Buster at this > point. > > Once buster is released I will: > > * provide uptodate package backports of newer upstream releases in > buster-backports (for both iptables and nftables) > * for important bugs, I would try backporting concrete patches to the version > in > buster-stable. > > Hmm, but that's a grave issue which may just render the firewall void for _any_ intermediate chain and produces segmentation faults errors. How about a minimal patch which places higher update-alternative priority to the the -legacy parts of iptables so that the alternative currently working in Buster is used by default. Once the fixed nft based is rolled out the priorities could then be switched again (or if that cannot be done for a stable release, in Bullseye).
Bug#929527: [pkg-netfilter-team] Bug#929527: Bug#914694
On 6/25/19 10:25 AM, Thomas Lamprecht wrote: > Don't want to nag to much but is there any news regarding this? > Buster is planned to release pretty soon (<2 weeks) and iptables > is quite a important package, IMO. Maybe it went under my radar > but I saw no unblock request on d.o release list. > > For now I just used update-alternative to use the legacy variants, > which work fine here, but if my understanding is correct then this > package (version?) could be thrown out of Buster if it still has RC > bug so close to the planned release, I mean iptables may be an > exception as it's quite relevant and still used by a lot but still. > The last upstream release of iptables won't make it into Debian Buster at this point. Once buster is released I will: * provide uptodate package backports of newer upstream releases in buster-backports (for both iptables and nftables) * for important bugs, I would try backporting concrete patches to the version in buster-stable.
Bug#929527: Bug#914694
Don't want to nag to much but is there any news regarding this? Buster is planned to release pretty soon (<2 weeks) and iptables is quite a important package, IMO. Maybe it went under my radar but I saw no unblock request on d.o release list. For now I just used update-alternative to use the legacy variants, which work fine here, but if my understanding is correct then this package (version?) could be thrown out of Buster if it still has RC bug so close to the planned release, I mean iptables may be an exception as it's quite relevant and still used by a lot but still.
Bug#929527: Bug#914694
iptables 1.8.3-1~exp1 is already uploaded, currently waiting in the NEW queue. The upload is for experimental, since the build depends on a newer release of libnftnl (already in experimental), and we are at a point of the Buster freeze that I would like to make extra sure I'm allowed to push such a big diff into unstable. Hopefully all this will be untangled in the upcoming weeks.
