[pkg-netfilter-team] Bug#991309: nftables 0.9.8 regresses icmp rule deletion
Christian Ehrhardt
christian.ehrhardt at canonical.com
Tue Jul 20 13:19:43 BST 2021
Package: nftables
Version: 0.9.8-3
Tags: fixed-in-experimental
Hi,
I wanted to raise awareness for an issue [1] that was originally filed
by Michael Biebl but not further pursued in the nftables package AFAICS.
In Debian CI that isn't obvious as the tests are all skipped
https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz
But the Ubuntu CI flags the issue
https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/amd64/f/firewalld/20210510_135128_36f9c@/log.gz
I was looking into the case in [2] and found that in the meantime
there is a fix for that [3] available upstream.
I see that there is nftables 0.9.9-1~exp1 in experimental and I have
tagged this bug as fixed there.
Surely we would not want to move to 0.9.9 in the current release while
in the final freeze.
But given that it would be a regression for upgraders buster->bullseye
I wonder if the isolated patch [3] should maybe be applied.
I have done so in an Ubuntu PPA [4] and re-run the firewalld tests against it.
Those tests - and in general the issue of deleting too many icmp rules
- is fixed by that.
[1]: https://github.com/firewalld/firewalld/issues/752
[2]: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1936902
[3]: https://git.netfilter.org/nftables/commit/?id=533565244d88a818d8828ebabd7625e5a8a4c374
[4]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4626/+packages
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
More information about the pkg-netfilter-team
mailing list