Ubuntu
nftables package

add debian symbols tracking for libnftables1 package

Bug #1965464 reported by Steve Beattie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nftables (Debian)
Fix Released
Unknown
nftables (Ubuntu)
Fix Released
High
Steve Beattie

Bug Description

As part of the MIR for nftables, the addition of symbols tracking in the debian packaging for nftables is a requirement.

Tags: patch
Steve Beattie (sbeattie)
Changed in nftables (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Steve Beattie (sbeattie) wrote :

One concern with this is that the upstream symbol versioning is broken; generating the debian symbols file looks like so:

libnftables.so.1 libnftables1 #MINVER#
 nft_ctx_add_include_path@Base 0.9.2
 nft_ctx_add_var@Base 1.0.0
 nft_ctx_buffer_error@Base 0.9.2
 nft_ctx_buffer_output@Base 0.9.2
 nft_ctx_clear_include_paths@Base 0.9.2
 nft_ctx_clear_vars@Base 1.0.0
 nft_ctx_free@Base 0.9.2
 nft_ctx_get_dry_run@Base 0.9.2
 nft_ctx_get_error_buffer@Base 0.9.2
 nft_ctx_get_optimize@Base 1.0.2
 nft_ctx_get_output_buffer@Base 0.9.2
 nft_ctx_new@Base 0.9.2
 nft_ctx_output_get_debug@Base 0.9.2
 nft_ctx_output_get_flags@Base 0.9.2
 nft_ctx_output_set_debug@Base 0.9.2
 nft_ctx_output_set_flags@Base 0.9.2
 nft_ctx_set_dry_run@Base 0.9.2
 nft_ctx_set_error@Base 0.9.2
 nft_ctx_set_optimize@Base 1.0.2
 nft_ctx_set_output@Base 0.9.2
 nft_ctx_unbuffer_error@Base 0.9.2
 nft_ctx_unbuffer_output@Base 0.9.2
 nft_run_cmd_from_buffer@Base 0.9.2
 nft_run_cmd_from_filename@Base 0.9.2

@Base is used because of:
$ nm -D --with-symbol-versions --defined-only /usr/lib/x86_64-linux-gnu/libnftables.so.1.1.0
000000000005ad10 T nft_ctx_add_include_path
000000000005abe0 T nft_ctx_add_var
000000000005b150 T nft_ctx_buffer_error
000000000005b050 T nft_ctx_buffer_output
000000000005ad90 T nft_ctx_clear_include_paths
000000000005acb0 T nft_ctx_clear_vars
000000000005b2e0 T nft_ctx_free
000000000005b590 T nft_ctx_get_dry_run
000000000005b2a0 T nft_ctx_get_error_buffer
000000000005b5b0 T nft_ctx_get_optimize
000000000005b270 T nft_ctx_get_output_buffer
000000000005add0 T nft_ctx_new
000000000005b5f0 T nft_ctx_output_get_debug
000000000005b5d0 T nft_ctx_output_get_flags
000000000005b600 T nft_ctx_output_set_debug
000000000005b5e0 T nft_ctx_output_set_flags
000000000005b5a0 T nft_ctx_set_dry_run
000000000005b550 T nft_ctx_set_error
000000000005b5c0 T nft_ctx_set_optimize
000000000005b510 T nft_ctx_set_output
000000000005b200 T nft_ctx_unbuffer_error
000000000005b0f0 T nft_ctx_unbuffer_output
000000000005b610 T nft_run_cmd_from_buffer
000000000005b960 T nft_run_cmd_from_filename

This despite the symbol map in the upstream project: https://git.netfilter.org/nftables/tree/src/libnftables.map

Revision history for this message
Steve Beattie (sbeattie) wrote :

I attemped to fix it with the following patch:

Index: b/src/Makefile.am
===================================================================
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -91,7 +91,7 @@ libparser_la_CFLAGS = ${AM_CFLAGS} \

 libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
 libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
- --version-script=$(srcdir)/libnftables.map
+ -Wl,--version-script=$(srcdir)/libnftables.map

 if BUILD_MINIGMP
 noinst_LTLIBRARIES += libminigmp.la

however, that FTBFS due to LTO being used in the build; examining the generated library does show the appropriate versions on the symbols:

/build/nftables-r9ytiF/nftables-1.0.2/src$ nm -D --with-symbol-versions --defined-only .libs/libnftables.so
0000000000000000 A LIBNFTABLES_1
0000000000000000 A LIBNFTABLES_2
0000000000000000 A LIBNFTABLES_3
000000000005ad10 T nft_ctx_add_include_path@@LIBNFTABLES_1
000000000005abe0 T nft_ctx_add_var@@LIBNFTABLES_2
000000000005b150 T nft_ctx_buffer_error@@LIBNFTABLES_1
000000000005b050 T nft_ctx_buffer_output@@LIBNFTABLES_1
000000000005ad90 T nft_ctx_clear_include_paths@@LIBNFTABLES_1
000000000005acb0 T nft_ctx_clear_vars@@LIBNFTABLES_2
000000000005b2e0 T nft_ctx_free@@LIBNFTABLES_1
000000000005b590 T nft_ctx_get_dry_run@@LIBNFTABLES_1
000000000005b2a0 T nft_ctx_get_error_buffer@@LIBNFTABLES_1
000000000005b270 T nft_ctx_get_output_buffer@@LIBNFTABLES_1
000000000005add0 T nft_ctx_new@@LIBNFTABLES_1
000000000005b5d0 T nft_ctx_output_get_debug@@LIBNFTABLES_1
000000000005b5b0 T nft_ctx_output_get_flags@@LIBNFTABLES_1
000000000005b5e0 T nft_ctx_output_set_debug@@LIBNFTABLES_1
000000000005b5c0 T nft_ctx_output_set_flags@@LIBNFTABLES_1
000000000005b5a0 T nft_ctx_set_dry_run@@LIBNFTABLES_1
000000000005b550 T nft_ctx_set_error@@LIBNFTABLES_1
000000000005b510 T nft_ctx_set_output@@LIBNFTABLES_1
000000000005b200 T nft_ctx_unbuffer_error@@LIBNFTABLES_1
000000000005b0f0 T nft_ctx_unbuffer_output@@LIBNFTABLES_1
000000000005b5f0 T nft_run_cmd_from_buffer@@LIBNFTABLES_1
000000000005b940 T nft_run_cmd_from_filename@@LIBNFTABLES_1

My concern is if this gets fixed, will this cause us to need to do a SO version bump?

Revision history for this message
Steve Beattie (sbeattie) wrote :

Debdiff to fix in ubuntu attached

Revision history for this message
Steve Beattie (sbeattie) wrote :

Submitted patch to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007888

Bug Watch Updater (bug-watch-updater)
Changed in nftables (Debian):
status: Unknown → New
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "nftables_1.0.2-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nftables - 1.0.2-1ubuntu1

---------------
nftables (1.0.2-1ubuntu1) jammy; urgency=medium

  * debian/libnftables1.symbols:
    - create a symbols file to ensure the API does not accidentally
      change over time (LP: #1965464)

 -- Steve Beattie <email address hidden> Thu, 17 Mar 2022 18:15:08 -0700

Changed in nftables (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Steve - don't you also need http://git.netfilter.org/nftables/commit/?id=e98a9b83cd52c7c75bedb3dad46539b197ed17ba ?

And then an updated symbols file for it?

As well as http://git.netfilter.org/nftables/commit/?id=1d507ce7f1d3c12481ee24bd1dcac2fc1984ee9f actually. You said you tried, but what exactly is the LTO issue and other than trying to resolve it you can (until resolved) always consider disabling LTO per package.

AFAICS that is also what holds back the Debian contribution of the same change.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

At the moment you are kind of getting around the "wrong symbols" by not using the map (missing 1d507ce7f1d) and thereby not using the wrong symbols (nft_set_optimize/nft_get_optimize).
But that explains (as you already know and said above) why it is all @base.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Applying both changes seems to work fine for me and does not break due to LTO.
I'll polish this for you to consider a follow-on upload ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Steve
After Seth asked me to have a look (see above comments) I tried to help as much as possible, therefore there now is:

- a MR https://code.launchpad.net/~paelzer/ubuntu/+source/nftables/+git/nftables/+merge/417523

- PPA https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4811/+packages

for you.

I hope this helps you to quickly and easily resolve this.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Yes, that's correct, both commits are needed. The debdiff/merge request look good to me, please go ahead and upload them to jammy so we can have proper symbol versioning on the ibrary itself there. Thanks!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the feedback, uploaded to Jammy.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI:

new version started to build in Jammy
https://launchpad.net/ubuntu/+source/nftables/1.0.2-1ubuntu2

Updated the Debian bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007888

Provided a matching salsa PR for Debian
https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/-/merge_requests/7

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

https://launchpad.net/ubuntu/+source/nftables/1.0.2-1ubuntu2 migrated to Jammy-release
And in additon the Debian PR was merged.

LGTM, let us focus on what is left in the MIR bug.

Bug Watch Updater (bug-watch-updater)
Changed in nftables (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.