[Pkg-utopia-maintainers] Bug#909574: marked as done (firewalld: FirewallBackend=nftables breaks NAT networks in libvirt)

[Debian Bug Tracking System]

Your message dated Tue, 13 Nov 2018 19:49:06 +0000
with message-id <e1gmegm-000g3s...@fasolo.debian.org>
and subject line Bug#909574: fixed in firewalld 0.6.3-2
has caused the Debian Bug report #909574,
regarding firewalld: FirewallBackend=nftables breaks NAT networks in libvirt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
909574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909574
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: firewalld
Version: 0.6.2-1
Severity: normal

From <https://firewalld.org/2018/07/nftables-backend>:

    "The main consequence for users is that firewall rules created outside of
    firewalld (e.g. libvirt, docker, user, etc) will take precedence over
    firewalld’s rules."

but unfortunately also:

    "For firewalld this means packets may be accepted early by custom iptables
    or nftables rules, but will still be subject to firewalld’s rules."

libvirt starts dnsmasq:

    # ss -lpn '( sport = 53 or sport = 67 )' | grep dnsmasq
    udp    UNCONN   0        0            192.168.122.1:53            0.0.0.0:* 
     users:(("dnsmasq",pid=3990102,fd=5))
    udp    UNCONN   0        0           0.0.0.0%virbr0:67            0.0.0.0:* 
     users:(("dnsmasq",pid=3990102,fd=3))
    tcp    LISTEN   0        32           192.168.122.1:53            0.0.0.0:* 
     users:(("dnsmasq",pid=3990102,fd=6))

and adds some iptables rules:

    # iptables-save | grep 'INPUT.*virbr.*ACCEPT'
    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

As mentioned above, these rules aren't enough for the packet to be accepted,
nftables would need to be configured to accept 53/67 from virbr0 as well.
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains explains:

    "if a packet gets accepted/dropped and there is a later chain in the same
    hook which is ordered with a later priority, the packet will be evaluated
    *again*"

According to https://bbs.archlinux.org/viewtopic.php?id=239362, this breaks
docker as well. :-(

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (980, 'testing-debug'), (980, 'testing'), (980, 'stable'), (500, 
'unstable-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'stable'), 
(200, 'experimental-debug'), (200, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), 
LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firewalld depends on:
ii  dbus               1.12.10-1
ii  gir1.2-glib-2.0    1.58.0-1
ii  iptables           1.6.2-1.1
ii  nftables           0.9.0-1
ii  policykit-1        0.105-21
ii  python3            3.6.6-1
ii  python3-dbus       1.2.8-2+b1
ii  python3-gi         3.30.1-1
ii  python3-slip-dbus  0.6.5-2

Versions of packages firewalld recommends:
ii  ebtables  2.0.10.4-5
ii  ipset     6.34-1

firewalld suggests no packages.

-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Operace zamítnuta: 
'/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Operace zamítnuta: 
'/etc/firewalld/lockdown-whitelist.xml'

-- no debconf information

-- 
Tomáš Janoušek, a.k.a. Pivník, a.k.a. Liskni_si, http://work.lisk.in/

--- End Message ---

--- Begin Message ---

Source: firewalld
Source-Version: 0.6.3-2

We believe that the bug you reported is fixed in the latest version of
firewalld, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <bi...@debian.org> (supplier of updated firewalld package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Nov 2018 20:20:40 +0100
Source: firewalld
Binary: firewalld firewall-applet firewall-config
Architecture: source
Version: 0.6.3-2
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team 
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Michael Biebl <bi...@debian.org>
Description:
 firewall-applet - panel applet providing status information of firewalld
 firewall-config - graphical configuration tool to change the firewall settings
 firewalld  - dynamically managed firewall with support for network zones
Closes: 909574
Changes:
 firewalld (0.6.3-2) unstable; urgency=medium
 .
   * Switch firewall backend from nftables back to iptables (again)
     When both firewalld and libvirt are installed, libvirt guests using NAT do
     not have internet access. The problem is that libvirt is not compatible
     (yet) with firewalld's new nftables backend. (Closes: #909574)
   * Switch to compat level 12 and dh_installsystemd
Checksums-Sha1:
 8337b50cc7fcca02e924f4e991d82428669cb9b8 2287 firewalld_0.6.3-2.dsc
 f0d527f4d6926ca63835d8d09940452cd98405e9 8352 firewalld_0.6.3-2.debian.tar.xz
 cefdc65b88e91d645c602554e5d0d300e0d9b7da 7193 
firewalld_0.6.3-2_source.buildinfo
Checksums-Sha256:
 a0b291856df9d259258137055a1ad6fc8a3837f09bd00b7444bdf66e8b9aca09 2287 
firewalld_0.6.3-2.dsc
 50ee9d4c2ade869b5ca9e663cf8ac2989e03231e633153acfc958241b86ff0d9 8352 
firewalld_0.6.3-2.debian.tar.xz
 9286ba99b80b2c17c1578019d99cbd075e5153eebdd4ab832afa6c99db31f211 7193 
firewalld_0.6.3-2_source.buildinfo
Files:
 0799e77df387faa372fd1df7f11d1fac 2287 net optional firewalld_0.6.3-2.dsc
 7a313c14a8704e3f0a4ebb0e8e1c1e6f 8352 net optional 
firewalld_0.6.3-2.debian.tar.xz
 9cae7d813a0bccae03123ce01f042aea 7193 net optional 
firewalld_0.6.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlvrJDMACgkQauHfDWCP
ItwOTw/9FCY+JXKFLLqyOrOf44uMi2oOg0tzez42ZqD1MHK+OEP+2rrM+dwG50PD
nrwDtidaY6KPV32WeHcMZZYMFDj5EeU/UuPreK2YEkPMr9aG7x/lCkwOD0ubWKaO
A8wElqrWD9eAVz9oN0LDWjTqignzyjPTQJC9lX2QjAbr9Iljjk8YZvxicp5Qt6Kh
1p9Nc2SwJu5oso3fxtyXeyN5IHrTR4Cd12m2hA+aRmPtZb2I482R4laLAT9zEOeW
0kddGUn0Wl/Fr+jTwK6l98D19ErxA4YPOdxcm+Q0aPiCaTbdpO7MnF/XpVnXlhTr
Zze8hoT6kKE3Mhe5PRhYsaLdpQGYE4RdSo83sva7UFQxl/yGu/Pp75tz/Z4b4jzo
mgRVyBNGoflD0RNN01mP74XpOaaoP1BvqTKdwst6X+mOU15umT2PqR++hvcxBTaE
mh7C5Bo518Vi5iPn5tRObOlTCM9v6m94MDywO9TLXyaQ4hKDTZa+bYxYTSFEemZS
orzZegXkv9j89ALnG6hULmMaWSKVaGsbotphQpjdjYZjuMU+W1BfY52sGglZwTQ+
fd2uLgU9UlM59tx02WI0cUQBBG7NB1eDEVqU7dgexCw4bVGGvvMdMdLi3gw8yKFh
GXpkPax1Ri7+p3Ljm90m9MJ5deeq6cK3TdZbjBn9x1p7DLO2CFA=
=Zv6x
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers