iptables-save -c shows incorrect counters with iptables-nft

FYI, I've tested the latest iptables from https://git.netfilter.org/iptables/ and the test passes also with iptables-nft.

The debdiff in attach seems to solve the problem.

Without this fix applied:

$ sudo ./tools/testing/selftests/net/xfrm_policy.sh
PASS: policy before exception matches
FAIL: expected ping to .254 to fail (exceptions)
...

With this fix applied:

$ sudo ./tools/testing/selftests/net/xfrm_policy.sh
PASS: policy before exception matches
PASS: ping to .254 bypassed ipsec tunnel (exceptions)
...

The proposed patch looks ok.

The version numbers are interesting. Impish release is at 1.8.7-1ubuntu2, and impish upload 1.8.7-1ubuntu3 got only published into Jammy.

So the correct version numbers to use will be ubuntu4 for jammy and 2.1 for impish, I will correct that for SRU.

In addition to the changelog versions it seems to me that the debdiff is potentially a bit missleading:

1) the shell testcases are not executed neither during build, nor during autopkgtest. As they seem to need root, it would be nice to add autopkgtest that would do:

cd iptables/tests/shell; ./run-tests.sh --host

as root.

2) the patched in new test case is patched as a regular text file, and thus is not picked up by ./run-tests.sh harness, because executable bit is lost. Hence debian/rules should probably `chmod +x` in the clean target. And then autopkgtest either needs to have restriction requires build; or also chmod that new test case before running ./run-tests.sh --host.

Given this new test case is supposed to catch this regression, enabling this test suite in autopkgtest would be worth while for jammy.

Can you attempt to fix above things?

@xnox interestingly enough 2 tests are failing with nft and 1 test in legacy running `./run-tests.sh --host`:

W: [FAILED] ././testcases/ipt-restore/0004-restore-race_0: expected 0 but got 1
...
I: legacy results: [OK] 49 [FAILED] 1 [TOTAL] 50

W: [FAILED] ././testcases/ipt-restore/0004-restore-race_0: expected 0 but got 1
W: [FAILED] ././testcases/nft-only/0009-needless-bitwise_0: expected 0 but got 127
...
I: nft results: [OK] 48 [FAILED] 2 [TOTAL] 50

So it's definitely worth running this one, now it'd be nice to understand the failures. Looking...

Alright I figured out why the tests were failing, simply nftables wasn't installed in my test environment. I see that nftables is reported in the Suggests: list.

@xnox IIRC we are installing all the suggests when we run the autotest, is it correct?

New debdiff with the enabled autopkgtest test case. (I'm assuming the Suggests: packages are installed when we run autopkgtest, so I'm not doing anything special to install nftables).

@arighi suggests used to be installed when one used to provide "needs-suggests" restrictions or some such, but that got deprecated, so no suggests are not getting installed by default.

However, we have a multi year MIR to seed and install nftables by default.... let me check the status of that https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package iptables - 1.8.7-1ubuntu4

---------------
iptables (1.8.7-1ubuntu4) jammy; urgency=medium

  [ Andrea Righi ]
  * Fix counters with iptables-nft and add a test case (LP: #1949603)
    - d/p/9005-iptables-nft-fix-Z-option.patch
  * Enable iptables selftest in autopkgtest

  [ Dimitri John Ledkov ]
  * Chmod patched test case in autopkgtest as well.
  * Add nftables:native depends in the autopkgtest and switch to
    isolation-machine.
  * Upload to jammy.

 -- Andrea Righi <email address hidden> Wed, 03 Nov 2021 15:50:49 +0000

Hello Andrea, or anyone else affected,

Accepted iptables into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables/1.8.7-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted iptables (1.8.7-1ubuntu2.1) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

iptables/1.8.7-1ubuntu2.1 (s390x, i386)
systemd/248.3-1ubuntu8.2 (ppc64el, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#iptables

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The newly enabled autopkgtest appears to regress on i386 =/

And s390x =(((((

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.