[Pkg-utopia-maintainers] Bug#1038904: firewalld: nftables backend tries to mix ipv6 addresses and ipv4 addresses in the same rule

Konstantin Nebel konnebel at gmx.de
Thu Jun 22 23:02:11 BST 2023 

Package: firewalld
Version: 1.3.0-1
Severity: important
Tags: upstream ipv6

Hello,

I have found a bug. I upgraded a couple days ago my Raspberrypi to Debian Bookworm and with the newer Debian a new Firewalld was installed. Since then Packages arent forwarded anymore by default. For that to work, you have to create policies in order to make this work. But when you have ipv4 and ipv6 Addresses in one Zone, the nftables backend tries to mix ipv4 addresses with ipv6 addresses in the same rule which gets denied.

In the upstream Package this bug is confirmed and fixed in release 1.3.3. The original Bug Report is here: https://github.com/firewalld/firewalld/issues/1146

In order to fix this on debian it is needed to upgrade the firewalld package itself but more important the python3-nftables package to make this work. I have successfully fixed it locally by installeing a pyenv environment and installed the newest pyton packages and also the newest firewalld version.

It would be great, if this can be addresses since this is in my opinion a major issue that should be resolved.

Cheers
Konstantin Nebel


-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)

Kernel: Linux 6.1.0-9-arm64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_CRAP
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firewalld depends on:
ii  dbus              1.14.6-1
ii  gir1.2-glib-2.0   1.74.0-3
pn  gir1.2-nm-1.0     <none>
ii  policykit-1       122-3
ii  polkitd           122-3
ii  python3           3.11.2-1+b1
pn  python3-dbus      <none>
pn  python3-firewall  <none>
pn  python3-gi        <none>
pn  python3-nftables  <none>

Versions of packages firewalld recommends:
pn  ipset           <none>
ii  iptables        1.8.9-2
pn  python3-cap-ng  <none>

firewalld suggests no packages.

More information about the Pkg-utopia-maintainers mailing list