** Description changed: [Impact] With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start. The log file shows many errors like: 2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed This can be demonstrated with a simple test case: iptables-restore <<EOF *filter :INPUT - [0:0] COMMIT EOF This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f As such, neutron-linuxbridge-agent is not able to be used successfully on groovy. This fix to iptables is required to allow neutron- linuxbridge-agent to successfully run. In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently sitting in hirsute-proposed waiting for autopkgtests to complete to finish migration. For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for groovy) [Test Case] This can be reproduced by the test case. + [Regression Potential] - [Regression Potential] + * This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy. One possible regression would be if any users of iptables-restore + were relying on this failing behaviour, but since this has only failed for + groovy and no other Ubuntu releases this is highly unlikely. The other + possibility is that the patch introduces some other failure, however + as stated above, close analysis of the patch shows it only introduces + new behaviour when the policy is specified as '-' - so this should be + impossible. - * This is a low risk update since it only affects the behaviour when a - policy of '-' is specified and so does not affect any users of iptables - that specify an explicit policy (like ACCEPT, REJECT etc). Since this - '-' behaviour is currently broken it has a very low chance of causing a - regression as it does not affect any code paths the use an explicit - policy. - - * In the event of a regression, iptables can be reverted back to a + * In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch. [Other Info] - - * Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon. + + * Details regarding an explicit test verification of neutron- + linuxbridge-agent will be added soon.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898547 Title: neutron-linuxbridge-agent fails to start with iptables 1.8.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1898547/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
