Bug #1820317 “The firewalld autopackage tests fail due to iptabl...” : Bugs : firewalld package : Ubuntu

Sebastien Bacher (seb128) on 2019-03-15

Changed in firewalld (Ubuntu):
importance:	Undecided → High
tags:	added: rls-dd-incoming
Changed in iptables (Ubuntu):
importance:	Undecided → High

Jamie Strandboge (jdstrand) on 2019-03-15

Changed in iptables (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-03-25:

#1

I took a look at this and found that:

a) firewalld root-unittests autopkgtests fail when using either iptables 1.6 or 1.8 in release due to https://bugzilla.redhat.com/show_bug.cgi?id=1601610 and the failure is: "2019-03-24 17:30:19 ERROR: COMMAND_FAILED: '/sbin/ipset add foobar 10.1.2.0/22' failed: ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6".
b) firewalld smoke-with-recommends autopkgtests fail when using 1.8 in -proposed (this bug)
c) someone in the Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694 claims that https://git.netfilter.org/iptables/commit/?id=947c51c95 resolves this issue. I took a look at backporting this and found that libnftnl requires 5 patches (which apply cleanly) and iptables needs at least 13 patches before the claimed fix can apply and 1 bug fix patch after. It seems that Debian is waiting for iptables 1.8.3 since the changes are so intrusive (I stopped at 13 patches because I found that I needed more and more earlier patches to support the new table and rule caching)
d) firewalld in 0.6.3-5 introduced the dependency on iptables 1.8.1 and dropped the recommends on ebtables. Dropping this and keeping iptables at 1.6 results in allowing smoke-with-recommends to pass and restores the 0.6.3-4 failing ipset behavior.
e) adjust iptables.postinst to use a lower update-alternatives priority such that iptables-legacy is used results in allowing smoke-with-recommends to pass and restores the 0.6.3-4 failing ipset behavior. We may want to reintroduce the Recommends in firewalld on ebtables so as not to mix ebtables-nft with iptables-legacy

Attempting to cherrypick all the patches to try to fix this is too regression-prone IME (indeed, there was one known regression with the patches; who knows how many more are lurking at the tip of upstream). I also don't want to take a git snapshot for similar reasons. I would much rather wait for upstream to release 1.8.3, much like Debian is.

This leaves us with 3 options:
a) leave 1.6 in disco and adjust the firewalld packaging to not require 1.8
b) adjust 1.8 in disco to prefer the legacy iptables commands instead of nft
c) keep everything as is and ignore the firewalld error. This is how Debian Buster is going to release

Since this represents a real bug in iptables, I think 'c' is out. While 'b' is an option, it is less well tested and I prefer 'a'. Once iptables 1.8.3 is out and/or Debian fixes 914694, then we can pull 1.8 into the archive. We will definitely want 1.8 in for 20.04 LTS.

I will remove 1.8 from disco-proposed and upload a firewalld with the adjusted Depends/Recommends, but someone else should look at the firewalld autopkgtest ipset regression.

I took a look at this and found that:

a) firewalld root-unittests autopkgtests fail when using either iptables 1.6 or 1.8 in release due to https://bugzilla.redhat.com/show_bug.cgi?id=1601610 and the failure is: "2019-03-24 17:30:19 ERROR: COMMAND_FAILED: '/sbin/ipset add foobar 10.1.2.0/22' failed: ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6". 
b) firewalld smoke-with-recommends autopkgtests fail when using 1.8 in -proposed (this bug)
c) someone in the Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694 claims that https://git.netfilter.org/iptables/commit/?id=947c51c95 resolves this issue. I took a look at backporting this and found that libnftnl requires 5 patches (which apply cleanly) and iptables needs at least 13 patches before the claimed fix can apply and 1 bug fix patch after. It seems that Debian is waiting for iptables 1.8.3 since the changes are so intrusive (I stopped at 13 patches because I found that I needed more and more earlier patches to support the new table and rule caching)
d) firewalld in 0.6.3-5 introduced the dependency on iptables 1.8.1 and dropped the recommends on ebtables. Dropping this and keeping iptables at 1.6 results in allowing smoke-with-recommends to pass and restores the 0.6.3-4 failing ipset behavior.
e) adjust iptables.postinst to use a lower update-alternatives priority such that iptables-legacy is used results in allowing smoke-with-recommends to pass and restores the 0.6.3-4 failing ipset behavior. We may want to reintroduce the Recommends in firewalld on ebtables so as not to mix ebtables-nft with iptables-legacy

Attempting to cherrypick all the patches to try to fix this is too regression-prone IME (indeed, there was one known regression with the patches; who knows how many more are lurking at the tip of upstream). I also don't want to take a git snapshot for similar reasons. I would much rather wait for upstream to release 1.8.3, much like Debian is.

This leaves us with 3 options:
a) leave 1.6 in disco and adjust the firewalld packaging to not require 1.8
b) adjust 1.8 in disco to prefer the legacy iptables commands instead of nft
c) keep everything as is and ignore the firewalld error. This is how Debian Buster is going to release

Since this represents a real bug in iptables, I think 'c' is out. While 'b' is an option, it is less well tested and I prefer 'a'. Once iptables 1.8.3 is out and/or Debian fixes 914694, then we can pull 1.8 into the archive. We will definitely want 1.8 in for 20.04 LTS.

I will remove 1.8 from disco-proposed and upload a firewalld with the adjusted Depends/Recommends, but someone else should look at the firewalld autopkgtest ipset regression.

Changed in iptables (Ubuntu):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-03-25:

#2

$ ./remove-package -m "1.8.2 abandoned, will wait for 1.8.3 (LP: #1820317)" -s disco-proposed iptables
Removing packages from disco-proposed:
iptables 1.8.2-4ubuntu1 in disco
  iptables 1.8.2-4ubuntu1 in disco amd64
  iptables 1.8.2-4ubuntu1 in disco arm64
  iptables 1.8.2-4ubuntu1 in disco armhf
  iptables 1.8.2-4ubuntu1 in disco i386
  iptables 1.8.2-4ubuntu1 in disco ppc64el
  iptables 1.8.2-4ubuntu1 in disco s390x
  iptables-dev 1.8.2-4ubuntu1 in disco amd64
  iptables-dev 1.8.2-4ubuntu1 in disco arm64
  iptables-dev 1.8.2-4ubuntu1 in disco armhf
  iptables-dev 1.8.2-4ubuntu1 in disco i386
  iptables-dev 1.8.2-4ubuntu1 in disco ppc64el
  iptables-dev 1.8.2-4ubuntu1 in disco s390x
  libip4tc-dev 1.8.2-4ubuntu1 in disco amd64
  libip4tc-dev 1.8.2-4ubuntu1 in disco arm64
  libip4tc-dev 1.8.2-4ubuntu1 in disco armhf
  libip4tc-dev 1.8.2-4ubuntu1 in disco i386
  libip4tc-dev 1.8.2-4ubuntu1 in disco ppc64el
  libip4tc-dev 1.8.2-4ubuntu1 in disco s390x
  libip4tc0 1.8.2-4ubuntu1 in disco amd64
  libip4tc0 1.8.2-4ubuntu1 in disco arm64
  libip4tc0 1.8.2-4ubuntu1 in disco armhf
  libip4tc0 1.8.2-4ubuntu1 in disco i386
  libip4tc0 1.8.2-4ubuntu1 in disco ppc64el
  libip4tc0 1.8.2-4ubuntu1 in disco s390x
  libip6tc-dev 1.8.2-4ubuntu1 in disco amd64
  libip6tc-dev 1.8.2-4ubuntu1 in disco arm64
  libip6tc-dev 1.8.2-4ubuntu1 in disco armhf
  libip6tc-dev 1.8.2-4ubuntu1 in disco i386
  libip6tc-dev 1.8.2-4ubuntu1 in disco ppc64el
  libip6tc-dev 1.8.2-4ubuntu1 in disco s390x
  libip6tc0 1.8.2-4ubuntu1 in disco amd64
  libip6tc0 1.8.2-4ubuntu1 in disco arm64
  libip6tc0 1.8.2-4ubuntu1 in disco armhf
  libip6tc0 1.8.2-4ubuntu1 in disco i386
  libip6tc0 1.8.2-4ubuntu1 in disco ppc64el
  libip6tc0 1.8.2-4ubuntu1 in disco s390x
  libiptc-dev 1.8.2-4ubuntu1 in disco amd64
  libiptc-dev 1.8.2-4ubuntu1 in disco arm64
  libiptc-dev 1.8.2-4ubuntu1 in disco armhf
  libiptc-dev 1.8.2-4ubuntu1 in disco i386
  libiptc-dev 1.8.2-4ubuntu1 in disco ppc64el
  libiptc-dev 1.8.2-4ubuntu1 in disco s390x
  libiptc0 1.8.2-4ubuntu1 in disco amd64
  libiptc0 1.8.2-4ubuntu1 in disco arm64
  libiptc0 1.8.2-4ubuntu1 in disco armhf
  libiptc0 1.8.2-4ubuntu1 in disco i386
  libiptc0 1.8.2-4ubuntu1 in disco ppc64el
  libiptc0 1.8.2-4ubuntu1 in disco s390x
  libxtables-dev 1.8.2-4ubuntu1 in disco amd64
  libxtables-dev 1.8.2-4ubuntu1 in disco arm64
  libxtables-dev 1.8.2-4ubuntu1 in disco armhf
  libxtables-dev 1.8.2-4ubuntu1 in disco i386
  libxtables-dev 1.8.2-4ubuntu1 in disco ppc64el
  libxtables-dev 1.8.2-4ubuntu1 in disco s390x
  libxtables12 1.8.2-4ubuntu1 in disco amd64
  libxtables12 1.8.2-4ubuntu1 in disco arm64
  libxtables12 1.8.2-4ubuntu1 in disco armhf
  libxtables12 1.8.2-4ubuntu1 in disco i386
  libxtables12 1.8.2-4ubuntu1 in disco ppc64el
  libxtables12 1.8.2-4ubuntu1 in disco s390x
Comment: 1.8.2 abandoned, will wait for 1.8.3 (LP: #1820317)
Remove [y|N]? y
1 package successfully removed.

$ ./remove-package -m "1.8.2 abandoned, will wait for 1.8.3 (LP: #1820317)" -s disco-proposed iptables
Removing packages from disco-proposed:
	iptables 1.8.2-4ubuntu1 in disco
		iptables 1.8.2-4ubuntu1 in disco amd64
		iptables 1.8.2-4ubuntu1 in disco arm64
		iptables 1.8.2-4ubuntu1 in disco armhf
		iptables 1.8.2-4ubuntu1 in disco i386
		iptables 1.8.2-4ubuntu1 in disco ppc64el
		iptables 1.8.2-4ubuntu1 in disco s390x
		iptables-dev 1.8.2-4ubuntu1 in disco amd64
		iptables-dev 1.8.2-4ubuntu1 in disco arm64
		iptables-dev 1.8.2-4ubuntu1 in disco armhf
		iptables-dev 1.8.2-4ubuntu1 in disco i386
		iptables-dev 1.8.2-4ubuntu1 in disco ppc64el
		iptables-dev 1.8.2-4ubuntu1 in disco s390x
		libip4tc-dev 1.8.2-4ubuntu1 in disco amd64
		libip4tc-dev 1.8.2-4ubuntu1 in disco arm64
		libip4tc-dev 1.8.2-4ubuntu1 in disco armhf
		libip4tc-dev 1.8.2-4ubuntu1 in disco i386
		libip4tc-dev 1.8.2-4ubuntu1 in disco ppc64el
		libip4tc-dev 1.8.2-4ubuntu1 in disco s390x
		libip4tc0 1.8.2-4ubuntu1 in disco amd64
		libip4tc0 1.8.2-4ubuntu1 in disco arm64
		libip4tc0 1.8.2-4ubuntu1 in disco armhf
		libip4tc0 1.8.2-4ubuntu1 in disco i386
		libip4tc0 1.8.2-4ubuntu1 in disco ppc64el
		libip4tc0 1.8.2-4ubuntu1 in disco s390x
		libip6tc-dev 1.8.2-4ubuntu1 in disco amd64
		libip6tc-dev 1.8.2-4ubuntu1 in disco arm64
		libip6tc-dev 1.8.2-4ubuntu1 in disco armhf
		libip6tc-dev 1.8.2-4ubuntu1 in disco i386
		libip6tc-dev 1.8.2-4ubuntu1 in disco ppc64el
		libip6tc-dev 1.8.2-4ubuntu1 in disco s390x
		libip6tc0 1.8.2-4ubuntu1 in disco amd64
		libip6tc0 1.8.2-4ubuntu1 in disco arm64
		libip6tc0 1.8.2-4ubuntu1 in disco armhf
		libip6tc0 1.8.2-4ubuntu1 in disco i386
		libip6tc0 1.8.2-4ubuntu1 in disco ppc64el
		libip6tc0 1.8.2-4ubuntu1 in disco s390x
		libiptc-dev 1.8.2-4ubuntu1 in disco amd64
		libiptc-dev 1.8.2-4ubuntu1 in disco arm64
		libiptc-dev 1.8.2-4ubuntu1 in disco armhf
		libiptc-dev 1.8.2-4ubuntu1 in disco i386
		libiptc-dev 1.8.2-4ubuntu1 in disco ppc64el
		libiptc-dev 1.8.2-4ubuntu1 in disco s390x
		libiptc0 1.8.2-4ubuntu1 in disco amd64
		libiptc0 1.8.2-4ubuntu1 in disco arm64
		libiptc0 1.8.2-4ubuntu1 in disco armhf
		libiptc0 1.8.2-4ubuntu1 in disco i386
		libiptc0 1.8.2-4ubuntu1 in disco ppc64el
		libiptc0 1.8.2-4ubuntu1 in disco s390x
		libxtables-dev 1.8.2-4ubuntu1 in disco amd64
		libxtables-dev 1.8.2-4ubuntu1 in disco arm64
		libxtables-dev 1.8.2-4ubuntu1 in disco armhf
		libxtables-dev 1.8.2-4ubuntu1 in disco i386
		libxtables-dev 1.8.2-4ubuntu1 in disco ppc64el
		libxtables-dev 1.8.2-4ubuntu1 in disco s390x
		libxtables12 1.8.2-4ubuntu1 in disco amd64
		libxtables12 1.8.2-4ubuntu1 in disco arm64
		libxtables12 1.8.2-4ubuntu1 in disco armhf
		libxtables12 1.8.2-4ubuntu1 in disco i386
		libxtables12 1.8.2-4ubuntu1 in disco ppc64el
		libxtables12 1.8.2-4ubuntu1 in disco s390x
Comment: 1.8.2 abandoned, will wait for 1.8.3 (LP: #1820317)
Remove [y|N]? y
1 package successfully removed.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-03-25:

#3

I upload 0.6.3-5ubuntu4 for the Depends/Recommends update but expect it to fail due to the ipset issues. I filed bug 1821596 for that.

Changed in firewalld (Ubuntu):
status:	New → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2019-03-25

Changed in iptables (Debian):
status:	Unknown → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-01:

#4

This bug was fixed in the package firewalld - 0.6.3-5ubuntu4

---------------
firewalld (0.6.3-5ubuntu4) disco; urgency=medium

  * Re-add Recommends for ebtables and remove the iptables dependency on 1.8
    for now until iptables 1.8.3 is available (LP: #1820317 and also see Debian
    bug 914694)

-- Jamie Strandboge <email address hidden> Mon, 25 Mar 2019 13:12:46 +0000

Changed in firewalld (Ubuntu):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2019-10-18

Changed in iptables (Debian):
status:	Fix Committed → Fix Released

Ubuntu
firewalld package

The firewalld autopackage tests fail due to iptables

Bug Description

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
firewalld (Ubuntu)	Fix Released	High	Unassigned
iptables (Debian)	Fix Released	Unknown	debbugs #914694
iptables (Ubuntu)	Won't Fix	High	Jamie Strandboge

Ubuntufirewalld package

The firewalld autopackage tests fail due to iptables

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
firewalld package