[pkg-netfilter-team] Bug#929527: Bug#929527: Bug#914694
Arturo Borrero Gonzalez
arturo at debian.org
Wed Jun 26 13:59:35 BST 2019
Control: severity -1 important
On 6/26/19 2:28 PM, Thomas Lamprecht wrote:
>
> Hmm, but that's a grave issue which may just render the firewall void
> for _any_ intermediate chain and produces segmentation faults errors.
>
The issue you found is not a general-case issue.
The segfault is only produced apparently if you:
* define a custom chain
* flush all rules of that custom chain (not required, because the chain was just
created)
* add a rule to that custom chain
all in the same batch.
I may understand that this is important for some scripts or robots making use of
the iptables interface in that particular way, but is not the general case of
how people define and add rules to custom chain/ruleset.
Because of this, I think we should lower the severity of this bug.
I understand is annoying in your use case, and I'm sorry for that.
Thankfully, we already have an iptables version fixing the issue, but
unfortunately it won't make it to Debian Buster in the first round as I already
explained in my previous email.
> How about a minimal patch which places higher update-alternative priority
> to the the -legacy parts of iptables so that the alternative currently
> working in Buster is used by default. Once the fixed nft based is rolled
> out the priorities could then be switched again (or if that cannot be done
> for a stable release, in Bullseye).
>
No, sorry, we won't do this at this point.
More information about the pkg-netfilter-team
mailing list