Bug#1067733: iptables: regression in 1.8.9 with -n breaks portblock in resource-agents

Tue, 26 Mar 2024 01:39:15 -0700 

Package: iptables
Version: 1.8.9-2
Severity: important
Tags: upstream

Dear Maintainer,

there is a known (and fixed) bug in iptables where it prints the "prot" as
numerical value if "-n" is given (see 17 and 6):

# iptables --version
iptables v1.8.9 (legacy)

# iptables -nL
Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53

There is an upstream bug report:
https://bugzilla.netfilter.org/show_bug.cgi?id=1729

Version 1.8.10 fixed this bug (see "udp" and "tcp" in "prot") in
https://git.netfilter.org/iptables/commit/?id=34f085b1607364f4eaded1140060dcaf965a2649

# iptables --version
iptables v1.8.7 (nf_tables)

# iptables -nL
Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53

The portblock agent in resource-agents parses that field and expects "tcp" and
not "6". Parsing was relaxed in: https://github.com/ClusterLabs/resource-
agents/pull/1924

So both upstream projects mitigated/fixed the problem, unfortunately Debian
stable ships the buggy iptables version which breaks portblock. Applying the
mentioned patch to portblock from resource-agents would be an alternative
solution, but the actual bug is in iptables, and this is why I reported the bug
for this package. Debian testing ships a recent enough iptables where this bug
was already fixed.


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.37-15
ii  libip4tc2                1.8.10-3
ii  libip6tc2                1.8.10-3
ii  libmnl0                  1.0.5-2
ii  libnetfilter-conntrack3  1.0.9-6
ii  libnfnetlink0            1.0.2-2
ii  libnftnl11               1.2.6-2
ii  libxtables12             1.8.10-3
ii  netbase                  6.4

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
pn  firewalld  <none>
ii  kmod       31-1

-- no debconf information

Reply via email to