new nftables 0.9.8-3 breaks firewalld 0.9.3 autopkgtest
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firewalld (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
nftables (Debian) |
Fix Released
|
Unknown
|
|||
nftables (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The new nftables
https:/
is stuck in proposed since it fails autopkgtest of firewalld
https:/
https:/
https:/
https:/
It fails the same way across architectures in:
## -------
## Summary of the failures. ##
## -------
Failed tests:
firewalld 0.9.3 test suite test groups:
NUM: FILE-NAME:LINE TEST-GROUP-NAME
KEYWORDS
97: icmp_block_
nftables icmp
124: rhbz1855140.at:1 rich rule icmptypes with one family
nftables rich icmp rhbz1855140
The upstream issue tracker
https:/
does not list those cases, but there is a new v9.4.0 that we might try.
In Debian this isn't showing up
https:/
Because they are all Skipped for not having machine level isolation
https:/
In detail it seems there re two cases of expected-
in #97:
-icmp type destination-
+icmp code host-prohibited reject with icmpx type admin-prohibited
in #124:
-icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
+icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
Those look like they might have the same root cause.
It seems that this is present for a while, this is nftables nftables/0.9.8-1 in Hirsute half a year ago.
https:/
before nftables 0.9.8 it worked on 0.9.7-1:
https:/
With the right keywords I've found closed bugs in firewalld pointing to a nftables fix:
- https:/
- https:/
The issue is locally reproducible in e.g. autopkgtest VM and thereby
fixes can be tested the same way.
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in nftables (Ubuntu): | |
status: | New → Triaged |
Changed in firewalld (Ubuntu): | |
status: | New → Confirmed |
status: | Confirmed → Invalid |
tags: | added: patch |
Changed in nftables (Debian): | |
status: | Unknown → Fix Committed |
Changed in nftables (Debian): | |
status: | Fix Committed → Fix Released |
Fail #1 - stdout mismatch
# -*- compilation -*- in_forward_ chain.at: 1: testing ICMP block present FORWARD chain ... block_in_ forward_ chain.at: 1: if ! cp "${FIREWALLD_ DEFAULT_ CONFIG} /firewalld. conf" ./firewalld.conf; then exit 77; fi block_in_ forward_ chain.at: 1: sed -i 's/^CleanupOnEx it.*/CleanupOnE xit=no/ ' ./firewalld.conf block_in_ forward_ chain.at: 1: sed -i 's/^FirewallBac kend.*/ FirewallBackend =nftables/ ' ./firewalld.conf block_in_ forward_ chain.at: 1: ip netns add fwd-test- ${at_group_ normalized} block_in_ forward_ chain.at: 1: env DBUS_SYSTEM_ BUS_ADDRESS= "unix:abstract= firewalld- testsuite- dbus-system- socket- ${at_group_ normalized} " ip netns exec fwd-test- ${at_group_ normalized} nft -f ./nft_rule_ index.nft block_in_ forward_ chain.at: 1: env DBUS_SYSTEM_ BUS_ADDRESS= "unix:abstract= firewalld- testsuite- dbus-system- socket- ${at_group_ normalized} " ip netns exec fwd-test- ${at_group_ normalized} rm ./nft_rule_ index.nft block_in_ forward_ chain.at: 1: env DBUS_SYSTEM_ BUS_ADDRESS= "unix:abstract= firewalld- testsuite- dbus-system- socket- ${at_group_ normalized} " ip netns exec fwd-test- ${at_group_ normalized} nft delete table inet firewalld_ check_rule_ index block_in_ forward_ chain.at: 4: env DBUS_SYSTEM_ BUS_ADDRESS= "unix:abstract= firewalld- testsuite- dbus-system- socket- ${at_group_ normalized} " ip netns exec fwd-test- ${at_group_ normalized} firewall-cmd -q --zone=public --add-icmp- block=host- prohibited block_in_ forward_ chain.at: 6: env DBUS_SYSTEM_ BUS_ADDRESS= "unix:abstract= firewalld- testsuite- dbus-system- socket- ${at_group_ normalized} " ip netns exec fwd-test- ${at_group_ normalized} sh <<-"HERE" IN_public_ deny | sed -e 's/icmp code 10/icmp code host-prohibited/'; echo $? >&3; } | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//' | sed -e '/^[ \t]*$/d' | sed -e 's/[ \t]\+/ /g' | { printf "%s" "$(cat /dev/stdin)"; echo; } | sed -e 's/meta mark/mark/g' -e '/type. *hook.* priority. *policy. */d' -e '/ct \(state\ |status\ )/{s/\( ct \(state\|status\)\) {/\1/g; s/ }//; s/\([a-z]*\), /\1,/g;}' >&4; } 3>&1; } | { read RC; exit $RC; } } 4>&1
97. icmp_block_
./icmp_
./icmp_
./icmp_
./icmp_
./icmp_
./icmp_
./icmp_
not running
running
./icmp_
./icmp_
{ { { { nft $NFT_NUMERIC_ARGS list chain inet firewalld filter_
HERE
--- - 2021-05-10 12:53:27.518505435 +0000 t.b8ayAF/ build.gyK/ src/src/ tests/testsuite .dir/at- groups/ 97/stdout 2021-05-10 12:53:27.513423335 +0000 IN_public_ deny { unreachable icmp code host-prohibited reject with icmpx type admin-prohibited
+++ /tmp/autopkgtes
@@ -1,6 +1,6 @@
table inet firewalld {
chain filter_
-icmp type destination-
+icmp code host-prohibited reject with icmpx type admin-prohibited
}
}
97. icmp_block_ in_forward_ chain.at: 1: 97. ICMP block present FORWARD chain (icmp_block_ in_forward_ chain.at: 1): FAILED (icmp_block_ in_forward_ chain.at: 6)