Bug#1036246: unblock: iptables-netflow/2.6-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: iptables-netflow@packages.debian.org, abe@debian.org, anbe@debian.org
Control: affects -1 + src:iptables-netflow
Please unblock iptables-netflow/2.6-4.
This is an update to fix the RC bug report at
https://bugs.debian.org/1035511 and fixes an upgrade issue from
Bullseye to Bookworm if iptables-netflow-dkms is upgraded while the
Bullseye kernel (and headers) are still installed — which is the case
in nearly every upgrade workflow.
[ Reason ]
Upgrades from Bullseye to Bookworm failed, at least until the Bullseye
kernel has been uninstalled.
[ Impact ]
Impact without this package update, admins will
* have to wait for iptables-netflow-dkms's postinst to succeed until
they have rebooted into the Bookworm kernel and uninstalled the
Bullseye kernel.
* have no chance of running the newer iptables-netflow-dkms version
from Bookworm with the Bullseye kernel.
Impact of the change:
* Low. Cherry-picked an upstream commit explicitly fixing compilation
with older kernels. Regression introduced upstream with 2.6 when
fixing compilation with kernel 5.15. It adds some compat definitions
into the #ifdef areas for older kernels. Does not affect compiling
against Bookworm's 6.1 kernel.
[ Tests ]
* Installation on Sid. Still compiles fine.
(Exception: Fails if the kernel 6.3 in Experimental is installed on
Sid. But I consider a fix for that to be unsuitable at this stage of
the freeze.)
* Installation on two Bullseye systems of which one is a production
server heavily relying on exactly this package. Still works fine
with the Sid package installed on Bullseye with stock Bullseye
kernel, even during package upgrade and after a reboot (into the
Bullseye kernel).
Netflows generated with iptables-netflow-dkms continued to show up
in nfdump's local cache after upgrading the package to the version
currently in Sid as well as after rebooting (which guarantees that
the newly built kernel module was really used, not just compiled).
This test proves that a server will continue to provide the
package's functionality even during a dist-upgrade even while still
running under the Bullseye kernel. (Which was found in #1035511 to
be not the case due to the failing compilation with the Bullseye
kernel.)
* Upgrade of a server from Bullseye to Bookworm which is using this
package in production. Upgrade failed as reported in #1035511. The
failure was fixed by installing the package from Unstable using
"dpkg -i" as expected.
Netflows generated with iptables-netflow-dkms continued to show up
in nfdump's local cache afterwards as well after the final reboot
into Bookworm's kernel.
This test proves that a server will continue to provide the
package's functionality even during a dist-upgrade and that it still
works fine under Bookworm's kernel, i.e. that it does NOT introduce
a regression on Bookworm.
* Autopkgtest in Sid via autopkgtest-pkg-dkms:
https://qa.debian.org/excuses.php?package=iptables-netflow says "No
test results" for all tests. I'm not sure what this actually
means. If I click on such a link I see:
I: Summary:
I: PASS 6.1.0-8-amd64
I: PASS 6.1.0-8-cloud-amd64
I: PASS 6.1.0-8-rt-amd64
Maybe these passes were considered superficial as in the end it
justs says twice:
dkms-autopkgtest PASS (superficial)
[ Risks ]
* Future updates of the Bullseye kernel with backported kernel fixes
might break some assumptions of the kernel version #ifdefs in this
kernel module like the ones updated in this patch and hence might
cause upgrade issues due to compilation issues again if someone
upgrades from Bullseye to Bookworm only late in the Bullseye release
cycle.
But this is given with and without that upgrade, and it has happened
in past stable releases as well. (Has IIRC last happened with
backported kernel fixes in Buster.)
* It's a leaf package only in use on servers which generate netflows
out of network traffic, e.g. for traffic statistics or security
monitoring purposes.
[ Checklist ]
[x] all changes are documented in the d/changelog
(debian/.gitignore was added by the recent NMU by accident and
has been removed in this upload again automatically without any
manual change, hence its removal does not show up in the
debian/changelog entry. It ending up in the debdiff is not a
result of this upload but actually a result of the previous
upload being build directly from git or so.)
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
The cherry-picked upstream commit is
https://github.com/aabc/ipt-netflow/commit/0901f028617acca350132a65293ab80a480bf233
commit 0901f028617acca350132a65293ab80a480bf233
Author: Vadim Fedorenko <vfedorenko@novek.ru>
Date: Mon Mar 28 21:59:10 2022 +0300
fix building on old kernels
Link: https://github.com/aabc/ipt-netflow/pull/196
diff --git a/compat.h b/compat.h
index 6be9d6b..847117f 100644
--- a/compat.h
+++ b/compat.h
@@ -782,7 +782,14 @@ struct module *find_module(const char *name)
#endif
#ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT
+/*
+ * nat event callback parameter is constified in 5.15+
+ * but it prevents module building with previous kernel versions
+ */
+# define NF_CT_EVENT struct nf_ct_event
# define ct_event fcn
+#else
+# define NF_CT_EVENT const struct nf_ct_event
#endif
#endif /* COMPAT_NETFLOW_H */
diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
index e042fe6..82805bc 100644
--- a/ipt_NETFLOW.c
+++ b/ipt_NETFLOW.c
@@ -4597,7 +4597,7 @@ static void rate_timer_calc(
#ifdef CONFIG_NF_NAT_NEEDED
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL;
-static int netflow_conntrack_event(const unsigned int events, const struct nf_ct_event *item)
+static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT *item)
#else
static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
#endif
So please
unblock iptables-netflow/2.6-4
diff -Nru iptables-netflow-2.6/debian/.gitignore iptables-netflow-2.6/debian/.gitignore
--- iptables-netflow-2.6/debian/.gitignore 2023-01-20 11:27:09.000000000 +0100
+++ iptables-netflow-2.6/debian/.gitignore 1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-/dkms
-/files
-/debhelper-build-stamp
-/.debhelper/
-/*.debhelper.log
-/*.p*.debhelper
-/*.substvars
-/iptables-netflow-dkms/
-/irqtop/
-/tmp/
diff -Nru iptables-netflow-2.6/debian/changelog iptables-netflow-2.6/debian/changelog
--- iptables-netflow-2.6/debian/changelog 2023-01-20 11:27:09.000000000 +0100
+++ iptables-netflow-2.6/debian/changelog 2023-05-10 18:22:39.000000000 +0200
@@ -1,3 +1,11 @@
+iptables-netflow (2.6-4) unstable; urgency=medium
+
+ * Acknowledge NMU. Thanks Andreas!
+ * Cherry-pick upstream commit 0901f028 "fix building on old kernels".
+ (Closes: #1035511)
+
+ -- Axel Beckert <abe@debian.org> Wed, 10 May 2023 18:22:39 +0200
+
iptables-netflow (2.6-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch
--- iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch 1970-01-01 01:00:00.000000000 +0100
+++ iptables-netflow-2.6/debian/patches/cherry-pick_0901f028_fix_building_on_old_kernels.patch 2023-05-10 17:21:46.000000000 +0200
@@ -0,0 +1,40 @@
+commit 0901f028617acca350132a65293ab80a480bf233
+Author: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Mon Mar 28 21:59:10 2022 +0300
+
+ fix building on old kernels
+
+ Link: https://github.com/aabc/ipt-netflow/pull/196
+
+diff --git a/compat.h b/compat.h
+index 6be9d6b..847117f 100644
+--- a/compat.h
++++ b/compat.h
+@@ -782,7 +782,14 @@ struct module *find_module(const char *name)
+ #endif
+
+ #ifndef HAVE_NF_CT_EVENT_NOTIFIER_CT_EVENT
++/*
++ * nat event callback parameter is constified in 5.15+
++ * but it prevents module building with previous kernel versions
++ */
++# define NF_CT_EVENT struct nf_ct_event
+ # define ct_event fcn
++#else
++# define NF_CT_EVENT const struct nf_ct_event
+ #endif
+
+ #endif /* COMPAT_NETFLOW_H */
+diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
+index e042fe6..82805bc 100644
+--- a/ipt_NETFLOW.c
++++ b/ipt_NETFLOW.c
+@@ -4597,7 +4597,7 @@ static void rate_timer_calc(
+ #ifdef CONFIG_NF_NAT_NEEDED
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL;
+-static int netflow_conntrack_event(const unsigned int events, const struct nf_ct_event *item)
++static int netflow_conntrack_event(const unsigned int events, NF_CT_EVENT *item)
+ #else
+ static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
+ #endif
diff -Nru iptables-netflow-2.6/debian/patches/series iptables-netflow-2.6/debian/patches/series
--- iptables-netflow-2.6/debian/patches/series 2023-01-20 11:27:09.000000000 +0100
+++ iptables-netflow-2.6/debian/patches/series 2023-05-10 17:21:58.000000000 +0200
@@ -4,3 +4,4 @@
dont-hardcode-current-gcc.patch
cherry-pick_66e43041_namespace_sk_error_report.patch
cherry-pick_6a55739a_fix_build_on_v5.15.patch
+cherry-pick_0901f028_fix_building_on_old_kernels.patch
Reply to: