Activity log for bug #1949603

Date Who What changed Old value New value Message
2021-11-03 15:12:05 Andrea Righi bug added bug
2021-11-03 15:13:31 Andrea Righi nominated for series Ubuntu Jammy
2021-11-03 15:13:31 Andrea Righi bug task added iptables (Ubuntu Jammy)
2021-11-03 15:13:31 Andrea Righi nominated for series Ubuntu Impish
2021-11-03 15:13:31 Andrea Righi bug task added iptables (Ubuntu Impish)
2021-11-03 16:15:20 Andrea Righi attachment added iptables-nft-fix-counters.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+attachment/5537896/+files/iptables-nft-fix-counters.debdiff
2021-11-03 16:24:14 Ubuntu Foundations Team Bug Bot tags patch
2021-11-04 07:33:32 Andrea Righi iptables (Ubuntu Impish): importance Undecided Medium
2021-11-04 07:33:34 Andrea Righi iptables (Ubuntu Jammy): importance Undecided Medium
2021-11-12 15:12:47 Andrea Righi description Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy. This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part: check_ipt_policy_count() { ns=$1 ip netns exec $ns iptables-save -c |grep policy | ( read c rest ip netns exec $ns iptables -Z if [ x"$c" = x'[0:0]' ]; then exit 0 elif [ x"$c" = x ]; then echo "ERROR: No counters" ret=1 exit 111 else exit 1 fi ) } If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing. Any idea why this is happening and how I can debug this in iptables? Thanks in advance. [Impact] Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy. This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel source directory) is creating a bunch of network namespaces and checking the iptables counters for the defined policies, in particular this is the interesting part: check_ipt_policy_count() {         ns=$1         ip netns exec $ns iptables-save -c |grep policy | ( read c rest                 ip netns exec $ns iptables -Z                 if [ x"$c" = x'[0:0]' ]; then                         exit 0                 elif [ x"$c" = x ]; then                         echo "ERROR: No counters"                         ret=1                         exit 111                 else                         exit 1                 fi         ) } If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing. [Test case] tools/testing/selftests/net/xfrm_policy.sh from the Linux kernel source code. [Fix] Apply iptables upstream commit: 5f1fcace ("iptables-nft: fix -Z option") In this way also with iptables-nft the counters are reported correctly. [Regression potential] We may require other upstream commits now that the -Z option is working properly with iptables-nft.
2021-11-15 11:42:59 Andrea Righi attachment added iptables-nft-fix-counters-v2.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+attachment/5540968/+files/iptables-nft-fix-counters-v2.debdiff
2021-11-23 17:18:14 Dimitri John Ledkov iptables (Ubuntu Jammy): status New Fix Committed
2021-11-23 21:52:20 Launchpad Janitor iptables (Ubuntu Impish): status New Confirmed
2021-11-24 13:15:17 Launchpad Janitor iptables (Ubuntu Jammy): status Fix Committed Fix Released
2022-04-01 14:44:57 Dimitri John Ledkov iptables (Ubuntu Impish): status Confirmed In Progress
2022-04-01 14:45:03 Dimitri John Ledkov bug added subscriber Ubuntu Stable Release Updates Team
2022-04-12 22:39:40 Brian Murray iptables (Ubuntu Impish): status In Progress Fix Committed
2022-04-12 22:39:44 Brian Murray bug added subscriber SRU Verification
2022-04-12 22:39:47 Brian Murray tags patch patch verification-needed verification-needed-impish
2022-07-18 22:58:44 Brian Murray iptables (Ubuntu Impish): status Fix Committed Won't Fix