[pkg-netfilter-team] Bug#1060342: Please cherry-pick c1083acea707 ("ebtables: Fix corner-case noflush restore bug")
Michael Biebl
biebl at debian.org
Tue Jan 9 20:55:13 GMT 2024
Package: iptables
Version: 1.8.10-1
Severity: normal
Tags: patch
Hi,
firewalld fails to work with the current version of iptables in Debian.
This is exemplified by the autopkgtest which recently has been made
available in Debian (thanks elbrus):
https://ci.debian.net/packages/f/firewalld/unstable/amd64/41650423/
After contacting firewalld upstream in
https://github.com/firewalld/firewalld/issues/1268
it turns out this issue has already been fixed in
etables (iptables-nft) commit c1083acea707 ("ebtables: Fix corner-case
noflush restore bug").
Cherry-picking this commit for iptables, makes the firewalld test suite
pass. I'm attaching the commit as patch file.
If you are busy, I can offer to NMU.
Regards,
Michael
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.9-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc6 2.37-13
ii libip4tc2 1.8.10-1
ii libip6tc2 1.8.10-1
ii libmnl0 1.0.5-2
ii libnetfilter-conntrack3 1.0.9-6
ii libnfnetlink0 1.0.2-2
ii libnftnl11 1.2.6-2
ii libxtables12 1.8.10-1
ii netbase 6.4
Versions of packages iptables recommends:
ii nftables 1.0.9-1+b2
Versions of packages iptables suggests:
ii firewalld 2.1.0-1
ii kmod 31-1
-- no debconf information
-------------- next part --------------
commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter <phil at nwl.cc>
Date: Tue Nov 7 19:12:14 2023 +0100
ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver <eric at garver.life>
Signed-off-by: Phil Sutter <phil at nwl.cc>
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index 00000000..0def0ac5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79d..a8ad57c7 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
return NF_BR_LOCAL_OUT;
else if (strcmp(chain, "POSTROUTING") == 0)
return NF_BR_POST_ROUTING;
+ else if (strcmp(chain, "BROUTING") == 0)
+ return NF_BR_BROUTING;
/* placeholder for user defined chain */
return NF_BR_NUMHOOKS;
More information about the pkg-netfilter-team
mailing list