[pkg-netfilter-team] Bug#1060342: Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug")

Tue Jan 9 20:55:13 GMT 2024

Package: iptables
Version: 1.8.10-1
Severity: normal
Tags: patch


Hi,

firewalld fails to work with the current version of iptables in Debian.
This is exemplified by the autopkgtest which recently has been made
available in Debian (thanks elbrus):
https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/

After contacting firewalld upstream in
https://github.com/firewalld/firewalld/issues/1268

it turns out this issue has already been fixed in 
etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
noflush restore bug").

Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.

If you are busy, I can offer to NMU.

Regards,
Michael


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.37-13
ii  libip4tc2                1.8.10-1
ii  libip6tc2                1.8.10-1
ii  libmnl0                  1.0.5-2
ii  libnetfilter-conntrack3  1.0.9-6
ii  libnfnetlink0            1.0.2-2
ii  libnftnl11               1.2.6-2
ii  libxtables12             1.8.10-1
ii  netbase                  6.4

Versions of packages iptables recommends:
ii  nftables  1.0.9-1+b2

Versions of packages iptables suggests:
ii  firewalld  2.1.0-1
ii  kmod       31-1

-- no debconf information
-------------- next part --------------
commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter <phil at nwl.cc>
Date:   Tue Nov 7 19:12:14 2023 +0100

    ebtables: Fix corner-case noflush restore bug
    
    Report came from firwalld, but this is actually rather hard to trigger.
    Since a regular chain line prevents it, typical dump/restore use-cases
    are unaffected.
    
    Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
    Cc: Eric Garver <eric at garver.life>
    Signed-off-by: Phil Sutter <phil at nwl.cc>

diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index 00000000..0def0ac5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+	;;
+*)
+	echo "skip $XT_MULTI"
+	exit 0
+	;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79d..a8ad57c7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
 		return NF_BR_LOCAL_OUT;
 	else if (strcmp(chain, "POSTROUTING") == 0)
 		return NF_BR_POST_ROUTING;
+	else if (strcmp(chain, "BROUTING") == 0)
+		return NF_BR_BROUTING;
 
 	/* placeholder for user defined chain */
 	return NF_BR_NUMHOOKS;
