[pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694

[Thomas Lamprecht]

On 6/26/19 2:14 PM, Arturo Borrero Gonzalez wrote:
> On 6/25/19 10:25 AM, Thomas Lamprecht wrote:
>> Don't want to nag to much but is there any news regarding this?
>> Buster is planned to release pretty soon (<2 weeks) and iptables
>> is quite a important package, IMO. Maybe it went under my radar
>> but I saw no unblock request on d.o release list.
>>
>> For now I just used update-alternative to use the legacy variants,
>> which work fine here, but if my understanding is correct then this
>> package (version?) could be thrown out of Buster if it still has RC
>> bug so close to the planned release, I mean iptables may be an
>> exception as it's quite relevant and still used by a lot but still.
>>
> 
> The last upstream release of iptables won't make it into Debian Buster at this
> point.
> 
> Once buster is released I will:
> 
> * provide uptodate package backports of newer upstream releases in
> buster-backports (for both iptables and nftables)
> * for important bugs, I would try backporting concrete patches to the version in
> buster-stable.
> 
> 

Hmm, but that's a grave issue which may just render the firewall void
for _any_ intermediate chain and produces segmentation faults errors.

How about a minimal patch which places higher update-alternative priority
to the the -legacy parts of iptables so that the alternative currently
working in Buster is used by default. Once the fixed nft based is rolled
out the priorities could then be switched again (or if that cannot be done
for a stable release, in Bullseye).