Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1

To: submit@bugs.debian.org
Subject: Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
From: Mathias Gibbens <gibmat@debian.org>
Date: Fri, 22 Sep 2023 16:59:46 +0000
Message-id: <[🔎] f8737dc766ea5ba53aae7023bb5f3659f446d111.camel@debian.org>
Reply-to: Mathias Gibbens <gibmat@debian.org>, 1052479@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-lxc-devel@lists.alioth.debian.org, gibmat@debian.org
Control: affects -1 + src:lxc

[ Reason ]
lxc 1:5.0.2-1 contains a typo in its IPv6 NAT rules, as reported in
#1049976. This prevents the lxc-net service from starting if
LXC_IPV6_NAT is set to true.

This was fixed in lxc version 5.0.3, which I have recently uploaded to
unstable. I would like to include this fix in bookworm's version of lxc
as it's a trivial fix affecting an actual Debian user.

[ Impact ]
IPv6 NAT is broken in bookworm's current version of lxc.

[ Tests ]
The changes have been reviewed and accepted by the upstream developers.

[ Risks ]
No risks -- a simple typo fix that has been fixed upstream since
February.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport upstream commit 4de047f51365cc06a626ee9de49fec5f76556c66,
which was included in lxc version 5.0.3. There's also a small change to
adjust the default branch used by gbp to reflect the new branch for
bookworm fixes.

[ Other info ]
The source debdiff is attached.

diff -Nru lxc-5.0.2/debian/changelog lxc-5.0.2/debian/changelog
--- lxc-5.0.2/debian/changelog	2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/changelog	2023-09-22 16:35:52.000000000 +0000
@@ -1,3 +1,10 @@
+lxc (1:5.0.2-1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream "fix nftables syntax for IPv6 NAT" (Closes: #1049976)
+  * Adjust branch in d/gbp.conf
+
+ -- Mathias Gibbens <gibmat@debian.org>  Fri, 22 Sep 2023 16:35:52 +0000
+
 lxc (1:5.0.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru lxc-5.0.2/debian/gbp.conf lxc-5.0.2/debian/gbp.conf
--- lxc-5.0.2/debian/gbp.conf	2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/gbp.conf	2023-09-22 16:35:47.000000000 +0000
@@ -1,3 +1,3 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = master
+debian-branch = debian/bookworm
diff -Nru lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch
--- lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch	1970-01-01 00:00:00.000000000 +0000
+++ lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch	2023-09-22 16:35:47.000000000 +0000
@@ -0,0 +1,34 @@
+From 4de047f51365cc06a626ee9de49fec5f76556c66 Mon Sep 17 00:00:00 2001
+From: Quentin Lyons <36303164+n0p90@users.noreply.github.com>
+Date: Sun, 12 Feb 2023 02:03:42 +0000
+Subject: [PATCH] lxc-net.in: fix nftables syntax for IPv6 NAT
+
+The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
+resulted in the following error when starting the lxc-net.service with
+LXC_IPV6_NAT="true" and nftables:
+
+    Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
+    Feb 11 18:54:54 pc lxc-net[4936]:                              ^^^^^^^^
+    Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
+    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
+    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
+    Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.
+
+Signed-off-by: Quentin Lyons <36303164+n0p90@users.noreply.github.com>
+---
+ config/init/common/lxc-net.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
+index efee9b96f0..e9ab88890a 100755
+--- a/config/init/common/lxc-net.in
++++ b/config/init/common/lxc-net.in
+@@ -92,7 +92,7 @@ start_nftables() {
+ add table ip6 lxc;
+ flush table ip6 lxc;
+ add chain ip6 lxc postrouting { type nat hook postrouting priority 100; };
+-add rule ip6 lxc postrouting ip saddr ${LXC_IPV6_NETWORK} ip daddr != ${LXC_IPV6_NETWORK} counter masquerade;
++add rule ip6 lxc postrouting ip6 saddr ${LXC_IPV6_NETWORK} ip6 daddr != ${LXC_IPV6_NETWORK} counter masquerade;
+ "
+     fi
+     NFT_RULESET="${NFT_RULESET};
diff -Nru lxc-5.0.2/debian/patches/series lxc-5.0.2/debian/patches/series
--- lxc-5.0.2/debian/patches/series	2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/patches/series	2023-09-22 16:35:47.000000000 +0000
@@ -1,3 +1,4 @@
 0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch
 0005-lxc.service-Starts-after-remote-fs.target.patch
 0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch
+0100-fix-nftables-ipv6.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1052479: lxc 5.0.2-1+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
Next by Date: Processed: bookworm-pu: package libpam-mklocaluser/0.18+deb12u1
Previous by thread: Processed (with 5 errors): Re: Bug#1052445: Transition: libpqxx 6.4->7.8
Next by thread: Processed: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
Index(es):
- Date
- Thread