--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-google-nftables@packages.debian.org
Control: affects -1 + src:golang-github-google-nftables
Hi,
[ Reason ]
I'd like to fix the #1071247/#1071248 pair in bookworm, which results in
crowdsec-firewall-bouncer's being broken on little-endian architectures
(addresses are getting logged just fine, but they're not passed over
correctly to the firewall layer).
I've checked with the security team, this doesn't warrant a DSA.
This is the library part (golang-github-google-nftables).
[ Impact ]
If the fix doesn't make it into stable, crowdsec-firewall-bouncer
remains broken on little-endian architectures.
[ Tests ]
Same checks as for unstable when I uploaded the fixes there:
- amd64 (LE, baremetal) before: KO
- amd64 (LE, baremetal) after: OK
- s390x (BE, debvm) before: OK
- s390x (BE, debvm) after: OK
[ Risks ]
Except for a possible regression on s390x (which isn't the case, see
previous section), it cannot be worse than it currently is.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
Additionally, that reached testing.
[ Changes ]
The fix is a direct backport from upstream, which adds byte order
information to the function used by crowdsec-firewall-bouncer
(AddSet).
[ Other info ]
Next bug report is the crowdsec-firewall-bouncer part.
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
diff -Nru golang-github-google-nftables-0.1.0/debian/changelog golang-github-google-nftables-0.1.0/debian/changelog
--- golang-github-google-nftables-0.1.0/debian/changelog 2022-12-12 05:07:14.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/changelog 2024-06-11 10:22:28.000000000 +0200
@@ -1,3 +1,18 @@
+golang-github-google-nftables (0.1.0-4~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for bookworm.
+
+ -- Cyril Brulebois <cyril@debamax.com> Tue, 11 Jun 2024 10:22:28 +0200
+
+golang-github-google-nftables (0.1.0-4) unstable; urgency=high
+
+ * Backport upstream fix for the AddSet() function that's been reversing
+ byte order on all little-endian architectures (Closes: #1071247),
+ breaking crowdsec-firewall-bouncer (See: #1071248):
+ - 0002-Implement-set-KeyByteOrder-226.patch
+
+ -- Cyril Brulebois <cyril@debamax.com> Tue, 21 May 2024 09:42:17 +0200
+
golang-github-google-nftables (0.1.0-3) unstable; urgency=medium
* Backport fix from upstream to fix the test suite on 32-bit archs (the
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch
--- golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch 1970-01-01 01:00:00.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/0002-Implement-set-KeyByteOrder-226.patch 2024-05-15 13:08:54.000000000 +0200
@@ -0,0 +1,42 @@
+From d746ecb0e494e7200180c3886fde9664d9100729 Mon Sep 17 00:00:00 2001
+From: turekt <32360115+turekt@users.noreply.github.com>
+Date: Thu, 18 May 2023 18:05:49 +0200
+Subject: [PATCH] Implement set KeyByteOrder (#226)
+
+Fixes https://github.com/google/nftables/issues/225
+Introduced KeyByteOrder in sets which fills UDATA with endianess information
+---
+ set.go | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/set.go b/set.go
+index 1ef8e89..b1f63e8 100644
+--- a/set.go
++++ b/set.go
+@@ -261,6 +261,9 @@ type Set struct {
+ Timeout time.Duration
+ KeyType SetDatatype
+ DataType SetDatatype
++ // Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) endian as per
++ // https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
++ KeyByteOrder binaryutil.ByteOrder
+ }
+
+ // SetElement represents a data point within a set.
+@@ -560,11 +563,11 @@ func (cc *Conn) AddSet(s *Set, vals []SetElement) error {
+ // Marshal concat size description as set description
+ tableInfo = append(tableInfo, netlink.Attribute{Type: unix.NLA_F_NESTED | unix.NFTA_SET_DESC, Data: concatBytes})
+ }
+- if s.Anonymous || s.Constant || s.Interval {
++ if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder == binaryutil.BigEndian {
+ tableInfo = append(tableInfo,
+ // Semantically useless - kept for binary compatability with nft
+ netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: []byte("\x00\x04\x02\x00\x00\x00")})
+- } else if !s.IsMap {
++ } else if s.KeyByteOrder == binaryutil.NativeEndian {
+ // Per https://git.netfilter.org/nftables/tree/src/mnl.c?id=187c6d01d35722618c2711bbc49262c286472c8f#n1165
+ tableInfo = append(tableInfo,
+ netlink.Attribute{Type: unix.NFTA_SET_USERDATA, Data: []byte("\x00\x04\x01\x00\x00\x00")})
+--
+2.39.2
+
diff -Nru golang-github-google-nftables-0.1.0/debian/patches/series golang-github-google-nftables-0.1.0/debian/patches/series
--- golang-github-google-nftables-0.1.0/debian/patches/series 2022-12-12 05:04:34.000000000 +0100
+++ golang-github-google-nftables-0.1.0/debian/patches/series 2024-05-15 13:08:54.000000000 +0200
@@ -1 +1,2 @@
0001-alignedbuff-fix-alignment-test-issue-on-32-bit-archs.patch
+0002-Implement-set-KeyByteOrder-226.patch
--- End Message ---