Bug#859775: marked as done (iptables: iptables-save fails for rules using hashlimit on 32-bit architectures)

Wed, 12 Apr 2017 03:36:42 -0700 

Your message dated Wed, 12 Apr 2017 10:33:49 +0000
with message-id <e1cyfav-0009la...@fasolo.debian.org>
and subject line Bug#859775: fixed in iptables 1.6.0+snapshot20161117-6
has caused the Debian Bug report #859775,
regarding iptables: iptables-save fails for rules using hashlimit on 32-bit 
architectures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859775
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: iptables
Version: 1.6.0+snapshot20161117-5
Severity: grave
Tags: upstream
User: debian-ad...@lists.debian.org
Usertags: needed-by-DSA-Team

On 32-bit architectures the extensions/libxt_hashlimit.c file compiles
with warning:

| gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT  
-DXTABLES_LIBDIR=\"/usr/lib/i386-linux-gnu/xtables\" -DXTABLES_INTERNAL 
-I../include -I.. -I../include  -Wdate-time -D_FORTIFY_SOURCE=2   
-Wp,-MMD,./.libxt_hashlimit.oo.d,-MT,libxt_hashlimit.oo -Wall 
-Waggregate-return -Wmissing-declarations       -Wmissing-prototypes 
-Wredundant-decls -Wshadow -Wstrict-prototypes     -Winline -pipe 
-D_INIT=libxt_hashlimit_init -DPIC -fPIC -g -O2 
-fdebug-prefix-map=/«BUILDDIR»/iptables-1.6.0+snapshot20161117=. 
-fstack-protector-strong -Wformat -Werror=format-security -o libxt_hashlimit.oo 
-c libxt_hashlimit.c;
| In file included from /usr/include/math.h:26:0,
|                  from libxt_hashlimit.c:15:
| /usr/include/features.h:148:3: warning: #warning "_BSD_SOURCE and 
_SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp]
|  # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
|    ^~~~~~~
| libxt_hashlimit.c: In function 'parse_burst':
| libxt_hashlimit.c:263:36: warning: format '%lu' expects argument of type 
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned 
int}' [-Wformat=]
|    xtables_error(PARAMETER_PROBLEM, "bad value for option "
|                                     ^~~~~~~~~~~~~~~~~~~~~~~
| libxt_hashlimit.c: In function 'parse_bytes':
| libxt_hashlimit.c:288:42: warning: format '%lu' expects argument of type 
'long unsigned int', but argument 4 has type 'uint64_t {aka long long unsigned 
int}' [-Wformat=]
|     "Rate value too large \"%llu\" (max %lu)\n",
|                                           ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check_v1':
| libxt_hashlimit.c:560:38: warning: format '%lu' expects argument of type 
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned 
int}' [-Wformat=]
|       "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
|                                       ^
| libxt_hashlimit.c: In function 'hashlimit_mt_check':
| libxt_hashlimit.c:590:38: warning: format '%lu' expects argument of type 
'long unsigned int', but argument 3 has type 'uint64_t {aka long long unsigned 
int}' [-Wformat=]
|       "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
|                                       ^
| libxt_hashlimit.c: In function 'print_rate':
| libxt_hashlimit.c:634:13: warning: format '%lu' expects argument of type 
'long unsigned int', but argument 2 has type 'long long unsigned int' 
[-Wformat=]
|   printf(" %lu/%s", _rates[i-1].mult / period, _rates[i-1].name);
|             ^

A full build log is available there: 
https://buildd.debian.org/status/fetch.php?pkg=iptables&arch=i386&ver=1.6.0%2Bsnapshot20161117-5&stamp=1485163465&raw=0

The problem is that uint64_t types are printed using an unsigned long
format, which is the right type on 64-bit architectures, but not on
32-bit architectures where it is an unsigned long long type.

As a result, iptables-save fails when a rule is using hashlimit. It
fails differently depending on the architecture. On i386 the value
is printed as "(null)":

|  -A FORWARD -m hashlimit --hashlimit-upto 1/(null) --hashlimit-burst 10 
--hashlimit-mode srcip --hashlimit-name nflogreject -j ACCEPT

On mips iptables-save ends-up with a segfault instead. I haven't
tested on arm yet.


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: mips (mips64)

Kernel: Linux 4.9.0-2-5kc-malta
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages iptables depends on:
ii  libc6                    2.24-9
ii  libip4tc0                1.6.0+snapshot20161117-5
ii  libip6tc0                1.6.0+snapshot20161117-5
ii  libiptc0                 1.6.0+snapshot20161117-5
ii  libnetfilter-conntrack3  1.0.6-2
ii  libnfnetlink0            1.0.1-3
ii  libxtables12             1.6.0+snapshot20161117-5

iptables recommends no packages.

Versions of packages iptables suggests:
ii  kmod  23-2

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: iptables
Source-Version: 1.6.0+snapshot20161117-6

We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arturo Borrero Gonzalez <art...@debian.org> (supplier of updated iptables 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 12 Apr 2017 11:41:06 +0200
Source: iptables
Binary: iptables iptables-dev libxtables12 libxtables-dev libiptc0 libiptc-dev 
libip4tc0 libip4tc-dev libip6tc0 libip6tc-dev iptables-nftables-compat
Architecture: source
Version: 1.6.0+snapshot20161117-6
Distribution: unstable
Urgency: medium
Maintainer: Arturo Borrero Gonzalez <art...@debian.org>
Changed-By: Arturo Borrero Gonzalez <art...@debian.org>
Description:
 iptables   - administration tools for packet filtering and NAT
 iptables-dev - transitional dummy package
 iptables-nftables-compat - iptables compat tools for nftables
 libip4tc-dev - Development files for libip4tc
 libip4tc0  - netfilter libip4tc library
 libip6tc-dev - Development files for libip6tc
 libip6tc0  - netfilter libip6tc library
 libiptc-dev - Development files for libiptc
 libiptc0   - netfilter libiptc library
 libxtables-dev - netfilter xtables library -- development files
 libxtables12 - netfilter xtables library
Closes: 859775
Changes:
 iptables (1.6.0+snapshot20161117-6) unstable; urgency=medium
 .
   * [3db1c4d] d/patches: add
     0001-extensions-libxt_hashlimit-fix-64-bit-printf-formats.patch.
     Thanks to James Cowgill for the patch (Closes: #859775)
Checksums-Sha1:
 a255089bac203f9623f985dfe2d73178aa1b7700 2818 
iptables_1.6.0+snapshot20161117-6.dsc
 17cbf8ee7f4ad19ec39f8b725a3017b05a08636f 62052 
iptables_1.6.0+snapshot20161117-6.debian.tar.xz
 1beabe709cddde4556b7059e05354ae7b3bc818a 11108 
iptables_1.6.0+snapshot20161117-6_amd64.buildinfo
Checksums-Sha256:
 5ba41a2377437d3fa26d16029562de52df33dd4b870cbc8de062a5d591aed004 2818 
iptables_1.6.0+snapshot20161117-6.dsc
 fc9d7816f840ff1777e5b110a82a5900f11f4fa503f2c3e55cd7d21935ae9f51 62052 
iptables_1.6.0+snapshot20161117-6.debian.tar.xz
 87fa79aa9325beb692d1d767eee4ad1469d108e4ae6bee22633958a4a2b7b571 11108 
iptables_1.6.0+snapshot20161117-6_amd64.buildinfo
Files:
 3552f0beb19d4c06f9cf9cb44a20b95c 2818 net important 
iptables_1.6.0+snapshot20161117-6.dsc
 c9547320252da6171c42781cd1373334 62052 net important 
iptables_1.6.0+snapshot20161117-6.debian.tar.xz
 fbbeee9e41e659394b706b9bb016ce7d 11108 net important 
iptables_1.6.0+snapshot20161117-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAljt/hISHGFydHVyb0Bk
ZWJpYW4ub3JnAAoJEGjnE5gdFRX441AP/2wekiwEWb+o2A6imKlvbeIFfC8hU4vl
KgLAfDdfx1hTxYo+uGnlhjOIj9QtVscIiYKFJHdEFjWsBrL6ru/XtwL2rMj3AqJb
R9/ttD+QufJVDcVhryvt4vmqtSimx1rakFdHwhqkqOaYXQO5euSYG7KvGZoizC0N
i2KMS0z16FBmr9VqTgF8uWy0JlpCc6yV6VIO+yUEfJO4Oe+sgfwJ2TZmKOoP+Z1P
DtF9UESLmWobtZBFitnjM5lCgW38isspks8jXGnPc05fBGWW5OQYbIUImBJUObUf
qbNuJ9yjoxL6G6f8IXswJsQtpZ7rUaFDYPZC5I9Fu//8mVJ1SVQtFFbdNbyYf5Gh
PmpOagv5d/YaN9bzjra1auvUCnz40jsgmwdtI9MSQe05+RVBp/6V4kB1ObOEd9vG
/0jkD9gNPMQUfg6CEkaieSBShJbszR05hjTu2w/dL8d04mU8Uy3RoLMz5LH47lJd
hRVxmtVui+rrSKWL746xwKO8Z5bEniuaYUPZTm9Z9XKfW23Jgn0sDSZZriDROmn1
lI7lCJzK3UjtkPXMA7g0Dq18kzExsyIAxa/vEnYBCH/sacGRjW16/jWN9sH96Qbg
3+ChjwYcBNy0ukmiMoH40uJDopxflUTobxHq7KMB6FETLBKNY3JNpxuCHtVD82Cp
Lsk3z+YsvquG
=Dp/P
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to