Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-lxc-de...@lists.alioth.debian.org, gib...@debian.org Control: affects -1 + src:lxc
[ Reason ] lxc 1:5.0.2-1 contains a typo in its IPv6 NAT rules, as reported in #1049976. This prevents the lxc-net service from starting if LXC_IPV6_NAT is set to true. This was fixed in lxc version 5.0.3, which I have recently uploaded to unstable. I would like to include this fix in bookworm's version of lxc as it's a trivial fix affecting an actual Debian user. [ Impact ] IPv6 NAT is broken in bookworm's current version of lxc. [ Tests ] The changes have been reviewed and accepted by the upstream developers. [ Risks ] No risks -- a simple typo fix that has been fixed upstream since February. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] Backport upstream commit 4de047f51365cc06a626ee9de49fec5f76556c66, which was included in lxc version 5.0.3. There's also a small change to adjust the default branch used by gbp to reflect the new branch for bookworm fixes. [ Other info ] The source debdiff is attached.
diff -Nru lxc-5.0.2/debian/changelog lxc-5.0.2/debian/changelog
--- lxc-5.0.2/debian/changelog 2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/changelog 2023-09-22 16:35:52.000000000 +0000
@@ -1,3 +1,10 @@
+lxc (1:5.0.2-1+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick upstream "fix nftables syntax for IPv6 NAT" (Closes: #1049976)
+ * Adjust branch in d/gbp.conf
+
+ -- Mathias Gibbens <gib...@debian.org> Fri, 22 Sep 2023 16:35:52 +0000
+
lxc (1:5.0.2-1) unstable; urgency=medium
* New upstream release
diff -Nru lxc-5.0.2/debian/gbp.conf lxc-5.0.2/debian/gbp.conf
--- lxc-5.0.2/debian/gbp.conf 2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/gbp.conf 2023-09-22 16:35:47.000000000 +0000
@@ -1,3 +1,3 @@
[DEFAULT]
pristine-tar = True
-debian-branch = master
+debian-branch = debian/bookworm
diff -Nru lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch
--- lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-5.0.2/debian/patches/0100-fix-nftables-ipv6.patch 2023-09-22 16:35:47.000000000 +0000
@@ -0,0 +1,34 @@
+From 4de047f51365cc06a626ee9de49fec5f76556c66 Mon Sep 17 00:00:00 2001
+From: Quentin Lyons <36303164+n0...@users.noreply.github.com>
+Date: Sun, 12 Feb 2023 02:03:42 +0000
+Subject: [PATCH] lxc-net.in: fix nftables syntax for IPv6 NAT
+
+The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
+resulted in the following error when starting the lxc-net.service with
+LXC_IPV6_NAT="true" and nftables:
+
+ Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
+ Feb 11 18:54:54 pc lxc-net[4936]: ^^^^^^^^
+ Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
+ Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
+ Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
+ Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.
+
+Signed-off-by: Quentin Lyons <36303164+n0...@users.noreply.github.com>
+---
+ config/init/common/lxc-net.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
+index efee9b96f0..e9ab88890a 100755
+--- a/config/init/common/lxc-net.in
++++ b/config/init/common/lxc-net.in
+@@ -92,7 +92,7 @@ start_nftables() {
+ add table ip6 lxc;
+ flush table ip6 lxc;
+ add chain ip6 lxc postrouting { type nat hook postrouting priority 100; };
+-add rule ip6 lxc postrouting ip saddr ${LXC_IPV6_NETWORK} ip daddr != ${LXC_IPV6_NETWORK} counter masquerade;
++add rule ip6 lxc postrouting ip6 saddr ${LXC_IPV6_NETWORK} ip6 daddr != ${LXC_IPV6_NETWORK} counter masquerade;
+ "
+ fi
+ NFT_RULESET="${NFT_RULESET};
diff -Nru lxc-5.0.2/debian/patches/series lxc-5.0.2/debian/patches/series
--- lxc-5.0.2/debian/patches/series 2023-01-17 02:53:00.000000000 +0000
+++ lxc-5.0.2/debian/patches/series 2023-09-22 16:35:47.000000000 +0000
@@ -1,3 +1,4 @@
0004-apparmor.d-Sets-container-base-accordingly-to-container-base.in.patch
0005-lxc.service-Starts-after-remote-fs.target.patch
0004-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch
+0100-fix-nftables-ipv6.patch
signature.asc
Description: This is a digitally signed message part
