2021-11-03 15:12:05 |
Andrea Righi |
bug |
|
|
added bug |
2021-11-03 15:13:31 |
Andrea Righi |
nominated for series |
|
Ubuntu Jammy |
|
2021-11-03 15:13:31 |
Andrea Righi |
bug task added |
|
iptables (Ubuntu Jammy) |
|
2021-11-03 15:13:31 |
Andrea Righi |
nominated for series |
|
Ubuntu Impish |
|
2021-11-03 15:13:31 |
Andrea Righi |
bug task added |
|
iptables (Ubuntu Impish) |
|
2021-11-03 16:15:20 |
Andrea Righi |
attachment added |
|
iptables-nft-fix-counters.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+attachment/5537896/+files/iptables-nft-fix-counters.debdiff |
|
2021-11-03 16:24:14 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2021-11-04 07:33:32 |
Andrea Righi |
iptables (Ubuntu Impish): importance |
Undecided |
Medium |
|
2021-11-04 07:33:34 |
Andrea Righi |
iptables (Ubuntu Jammy): importance |
Undecided |
Medium |
|
2021-11-12 15:12:47 |
Andrea Righi |
description |
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part:
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
exit 0
elif [ x"$c" = x ]; then
echo "ERROR: No counters"
ret=1
exit 111
else
exit 1
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.
Any idea why this is happening and how I can debug this in iptables?
Thanks in advance. |
[Impact]
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part:
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
exit 0
elif [ x"$c" = x ]; then
echo "ERROR: No counters"
ret=1
exit 111
else
exit 1
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.
[Test case]
tools/testing/selftests/net/xfrm_policy.sh from the Linux kernel source code.
[Fix]
Apply iptables upstream commit:
5f1fcace ("iptables-nft: fix -Z option")
In this way also with iptables-nft the counters are reported correctly.
[Regression potential]
We may require other upstream commits now that the -Z option is working properly with iptables-nft. |
|
2021-11-15 11:42:59 |
Andrea Righi |
attachment added |
|
iptables-nft-fix-counters-v2.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+attachment/5540968/+files/iptables-nft-fix-counters-v2.debdiff |
|
2021-11-23 17:18:14 |
Dimitri John Ledkov |
iptables (Ubuntu Jammy): status |
New |
Fix Committed |
|
2021-11-23 21:52:20 |
Launchpad Janitor |
iptables (Ubuntu Impish): status |
New |
Confirmed |
|
2021-11-24 13:15:17 |
Launchpad Janitor |
iptables (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-04-01 14:44:57 |
Dimitri John Ledkov |
iptables (Ubuntu Impish): status |
Confirmed |
In Progress |
|
2022-04-01 14:45:03 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-04-12 22:39:40 |
Brian Murray |
iptables (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-04-12 22:39:44 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2022-04-12 22:39:47 |
Brian Murray |
tags |
patch |
patch verification-needed verification-needed-impish |
|
2022-07-18 22:58:44 |
Brian Murray |
iptables (Ubuntu Impish): status |
Fix Committed |
Won't Fix |
|