Bug#991360: unblock: nftables/0.9.8-3.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991360: unblock: nftables/0.9.8-3.1
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Wed, 21 Jul 2021 16:48:26 +0200
Message-id: <[🔎] CAATJJ0JQsOU9H5YS=P-O_tD7dLeunMjhNwiHCjYKzJpyfBKi=Q@mail.gmail.com>
Reply-to: Christian Ehrhardt <christian.ehrhardt@canonical.com>, 991360@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-CC: Arturo Borrero Gonzalez <arturo@debian.org>

Please unblock package nftables

[ Reason ]

Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991309

Under certain conditions nftables tends to be greedy and can delete
too much rules. This was identified via an issue to firewalld which had
a test that failed on it [1] but was then found and fixed in nftables [2].

[ Impact ]

The change looks bigger than it is as it moves code around to be available
earlier in the code. It really comes down to dependency killing of rules
and should not have a different impact to nftables than that.

[ Tests ]

While the Debian tests skip the tests e.g. of firewalld [3] I have
uploaded the same to Ubuntu where all the tests (including those that failed
due to the issue) already completed.
On this upload the debci will again skip the tests that would have flagged
this bug, others will run but they have worked before and will afterwards.

[ Risks ]

I'd hope that it is low as it is not just from git, but also part of
an official release (0.9.9) already. We don't want to bump versions so late,
but this gives some extra confidence in the testing that was done.
As mentioned above the risk should be limited to the dependent rule removal.

[ Other info ]

* I've prepared a debdiff (attached) which matches testing vs unstable at
  the moment that the request here asks to unblock.
* The unstable version has just been uploaded, please give it some time to
  build and be tested (by tools and myself), but I wanted to give a heads
  up as early as possible.

P.S. The usual maintainer asked for an NMU and driving the unblocking,
details on the bug we fix that is linked above.


[1]: https://github.com/firewalld/firewalld/issues/752
[2]: https://git.netfilter.org/nftables/commit/?id=533565244d88a
[3]: https://ci.debian.net/data/autopkgtest/testing/amd64/f/firewalld/13738304/log.gz

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Attachment: fix-debian-991309.debdiff
Description: Binary data

Reply to:

Follow-Ups:
- Bug#991360: marked as done (unblock: nftables/0.9.8-3.1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#991360: FYI build and manual test ok
  - From: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Prev by Date: Bug#991359: unblock: liquidsoap/1.4.3-3
Next by Date: Processed: Block fix by unblock request
Previous by thread: Bug#991359: marked as done (unblock: liquidsoap/1.4.3-3)
Next by thread: Bug#991360: marked as done (unblock: nftables/0.9.8-3.1)
Index(es):
- Date
- Thread