FFe: Merge iptables 1.8.5-3 (main) from Debian sid (main)

I've attached the upstream changelog.

The upstream release contains a lot of fixes for nftables but also rewrites and fixes in other areas.

Landing the merge does have risks, but IMO it would be better ship it in 20.10 than the current version.

I've asked the Security Team in June if they could merge the new upstream from Debian, but they could not find time for that AFAIK.

I\m +1 on the FFe, but someone still needs to actually do the merge and landing.

I have done the merge and uploaded it to the security-proposed PPA - https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa - and have confirmed the iptables autopkgtest tests all pass as well as the ufw tests.

Oibaf - since you requested this, would you be able to also test this?

I tested it and also backported for focal in my PPA ( https://launchpad.net/~oibaf/+archive/ubuntu/test/+packages?field.name_filter=&field.status_filter=published&field.series_filter=focal ): it works as intended.

I think this should be removed from the 1.8.5-3ubuntu1 changelog:

* Merge with Debian unstable. Remaining changes:
 - Swap alternative priority and prefer nftables backend over legacy

Since this change is also available in Debian.

Good point about the changelog - I have removed that line and rebuilt. Attaching the debdiff here for the release team to review.

Right, yes, please do go ahead. It was pointed out before that this would be desirable after we switched away from -legacy due to the nature of the fixes.

I had thought from the diff of debian/tests/control that the test coverage of the nft backend was being reduced, but then I took a look at https://salsa.debian.org/pkg-netfilter-team/pkg-iptables/-/blob/master/debian/tests/control and actually both are being tested explicitly, so that seems sensible.

I'm certainly not fully competent to assess the entire impact here. A suggestion: maybe the server team could be asked to give it a round of extra testing / eyes after upload?

This bug was fixed in the package iptables - 1.8.5-3ubuntu1

---------------
iptables (1.8.5-3ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable (LP: #1894195). Remaining changes:
    - debian/control: correct Breaks/Replaces for ipt_kernel_headers.h
      move from libiptc-dev to libip4tc-dev
    - debian/control: add linuxdoc-tools dep
    - 9000-howtos.patch: add howtos/ and install them
    - 9002-libxt_recent-Add-support-for-reap-option.patch: Some changes are
      upstream, patch needed for additional reap option checks.
    - debian/iptables-dev.doc-base.netfilter-extensions,
      debian/iptables-dev.doc-base.netfilter-hacking,
      debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter:
      add howtos
    - Demote nftables from Recommends to Suggests for groovy.
    - autopkgtest: allow-stderr on command9 to fix regression

iptables (1.8.5-3) unstable; urgency=medium

  * [2d587e5] src:iptables: bump build-dep version on libnftnl to 1.1.6

iptables (1.8.5-2) unstable; urgency=medium

  [ Alberto Molina Coballes ]
  * [d90516d] d/control: modify breaks and replaces fields (Closes: #949576)
  * [4754a45] d/not-installed: arch independ files
  * [780330f] d/tests/control: Run iptables-legacy-* tests explicitly

  [ Arturo Borrero Gonzalez ]
  * [6fb6557] d/patches: add 0000-upstream-fix-xtables-translate.patch
    (Closes: #962724)

iptables (1.8.5-1) unstable; urgency=medium

  [ Debian Janitor ]
  * [c3deeb3] Wrap long lines in changelog entries: 1.8.2-1, 1.8.0-1~exp1,
  1.6.0-1.
  * [214468e] Update standards version to 4.5.0, no changes needed.

  [ Arturo Borrero Gonzalez ]
  * [eb1d7c5] New upstream version 1.8.5 (Closes: #950535)
  * [7a119db] d/patches: drop all patches
  * [ec63c87] libxtables12.symbols: add new symbol
  * [4056ce6] iptables: bump debhelper-compat to 13

 -- Alex Murray <email address hidden> Mon, 21 Sep 2020 17:21:46 +0930