[Pkg-utopia-maintainers] Bug#1117505: firewalld: autopkgtest needs update for new version of nftables

Wed Oct 8 20:06:15 BST 2025

Control: tags -1 patch

On 2025-10-06, at 21:14:27 +0100, Jeremy Sowden wrote:
> On 2025-10-06, at 21:54:09 +0200, Paul Gevers wrote:
> > Source: firewalld
> > Version: 2.3.1-2
> > Severity: serious
> > X-Debbugs-CC: nftables at packages.debian.org
> > Tags: sid forky
> > User: debian-ci at lists.debian.org
> > Usertags: needs-update
> > Control: affects -1 src:nftables
> >
> > Dear maintainer(s),
> >
> > With a recent upload of nftables the autopkgtest of firewalld fails
> > in testing when that autopkgtest is run with the binary packages of
> > nftables from unstable. It passes when run with only packages from
> > testing. In tabular form:
> >
> >                       pass            fail
> > nftables               from testing    1.1.5-2
> > firewalld              from testing    2.3.1-2
> > all others             from testing    from testing
> >
> > I copied some of the output at the bottom of this report.
> >
> > Currently this regression is blocking the migration of nftables to
> > testing [1]. Of course, nftables shouldn't just break your
> > autopkgtest (or even worse, your package), but it seems to me that
> > the change in nftables was intended and your package needs to update
> > to the new situation.
> >
> > If this is a real problem in your package (and not only in your
> > autopkgtest), the right binary package(s) from nftables should
> > really add a versioned Breaks on the unfixed version of (one of
> > your) package(s). Note: the Breaks is nice even if the issue is only
> > in the autopkgtest as it helps the migration software to figure out
> > the right versions to combine in the tests.
> >
> > More information about this bug and the reason for filing it can be found on
> > https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation
> >
> > Paul
> >
> > [1] https://qa.debian.org/excuses.php?package=nftables
> >
> > https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/64961657/log.gz
> >
> > 2837s +++ /tmp/testsuite.dir/at-groups/211/stdout	2025-10-05 
> > 17:27:01.608000000 +0000
> > 2837s @@ -1,6 +1,6 @@
> > 2837s  table inet firewalld {
> > 2837s  chain filter_FORWARD {
> > 2837s -meta nfproto ipv6 fib saddr . mark oif missing drop
> > 2837s +meta nfproto ipv6 fib saddr . mark check missing drop
> > 2837s  ct state established,related accept
> > 2837s  ct status dnat accept
> > 2837s  iifname "lo" accept
> > 2837s 211. rpfilter.at:89: 211. rpfilter - loose-forward 
> > (rpfilter.at:89): FAILED (rpfilter.at:101)
> > 2837s 2837s 2837s autopkgtest [17:53:31]: test standard-tests
> 
> This is fixed upstream:
> 
>   https://github.com/firewalld/firewalld/commit/cc1c78b7343dc5f198f76c31c3e6f4934ab0b183
> 
> I'm running autopkgtest in qemu locally to make sure this is the only
> regression.  It's very slow. :-/

Yup, that upstream commit does the job.  I've attached the patch against
firewalld's Salsa repo.  You can also see it here:

	https://salsa.debian.org/azazel/firewalld/-/commit/b3d463ceafdc86255aea0b38d32a0dbe72e25651

I can NMU if you're busy.

J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-d-patches-add-upstream-commit-to-fix-rpfilter-tests.patch
Type: text/x-diff
Size: 4496 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20251008/7e1e5339/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20251008/7e1e5339/attachment-0001.sig>