Ubuntu
iptables package

Bug #1992454
Comment #38

Comment 38 for bug 1992454

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-05-25:

#38

iptables in excuses triggers tests in other packages. The excuses report doesn't show the fully green results anymore, so it's easy to miss them.

I think we can consider the ufw dep8 tests as sufficient for the case of "normal iptables usage hasn't regressed".

I ran the ufw debian/tests/root-unittest DEP8 test in a jammy vm, and checked with execsnoop that it was calling the real iptables during the tests, and not just pretending or calling a fake binary like the normal unittest test. I aborted it after a few minutes, because the extra logging was taking a lot of time, but here is a sample:

17:12:30 TIME TIME(s) UID PCOMM PID PPID RET ARGS
17:12:30 1.962 0 iptables 28768 28767 0 /usr/sbin/iptables --version
17:12:30 1.964 0 iptables 28773 28772 0 /usr/sbin/iptables --version
17:12:30 2.002 0 iptables 28817 28816 0 /usr/sbin/iptables -V
17:12:30 2.203 0 iptables 29060 29059 0 /usr/sbin/iptables -V
17:12:30 2.205 0 ip6tables 29062 29061 0 /sbin/ip6tables -L INPUT -n
17:12:30 2.205 0 iptables 29063 29061 0 /sbin/iptables -F ufw-logging-deny
17:12:30 2.206 0 iptables 29064 29061 0 /sbin/iptables -F ufw-logging-allow
(...)
17:12:30 2.552 0 iptables 29371 29225 0 /usr/sbin/iptables -D ufw-user-logging-forward -j RETURN
17:12:30 2.553 0 iptables 29372 29225 0 /usr/sbin/iptables -A ufw-after-logging-input -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10
17:12:30 2.553 0 iptables 29373 29225 0 /usr/sbin/iptables -A ufw-after-logging-forward -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10
17:12:30 2.554 0 iptables 29374 29225 0 /usr/sbin/iptables -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
17:12:30 2.555 0 iptables 29375 29225 0 /usr/sbin/iptables -A ufw-logging-deny -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10
17:12:30 2.555 0 iptables 29376 29225 0 /usr/sbin/iptables -A ufw-logging-allow -j LOG --log-prefix [UFW ALLOW] -m limit --limit 3/min --limit-burst 10
17:12:30 2.556 0 iptables 29377 29225 0 /usr/sbin/iptables -D ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:30 2.557 0 iptables 29378 29225 0 /usr/sbin/iptables -I ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:31 2.601 0 iptables 29380 29379 0 /usr/sbin/iptables -V
17:12:31 2.609 0 iptables 29383 29057 0 /usr/sbin/iptables -L -n
(...)

# grep iptables d-t-root-unittest.log |wc -l
9389

All these while iptables from jammy-proposed was installed:
# apt-cache policy iptables
iptables:
  Installed: 1.8.7-1ubuntu5.1
  Candidate: 1.8.7-1ubuntu5.1
  Version table:
*** 1.8.7-1ubuntu5.1 500
        500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages

With that in mind, let's confirm that the ufw dep8 tests ran with the iptables package from proposed for each ubuntu release:

# Kinetic
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/kinetic/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic/kinetic/amd64/u/ufw/20230515_201517_324f0@/log.gz

iptables from kinetic-proposed:
$ zgrep kinetic-proposed/main.*iptables log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu kinetic-proposed/main amd64 iptables amd64 1.8.7-1ubuntu6.1 [454 kB]

root-unittest passed:
$ zgrep ^root-unittest kinetic-log.gz
root-unittest PASS
root-unittest PASS

# Jammy
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/u/ufw/20230516_174358_f55b2@/log.gz

iptables from jammy-proposed:
$ zgrep jammy-proposed/main.*iptables jammy-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu jammy-proposed/main amd64 iptables amd64 1.8.7-1ubuntu5.1 [455 kB]

root-unittest passed:
$ zgrep ^root-unittest jammy-log.gz
root-unittest PASS
root-unittest PASS

# focal
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/focal/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-focal/focal/amd64/u/ufw/20230518_023831_3747d@/log.gz

iptables from focal-proposed:
$ zgrep focal-proposed/main.*iptables focal-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu focal-proposed/main amd64 iptables amd64 1.8.4-3ubuntu2.1 [390 kB]

root-unittest passed:
$ zgrep ^root-unittest focal-log.gz
root-unittest PASS
root-unittest PASS

# bionic
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/bionic/update_excuses.yaml.xz

There is no ufw run for bionic (my luck). So let's pick something else. I thought about checking the docker.io DEP8 tests, since docker does use iptables to setup networking.

Turns out just by installing docker.io it already calls iptables multiple times via the service restart it does in postinst:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 docker.io amd64 20.10.21-0ubuntu1~18.04.3 [30.3 MB]
Fetched 30.3 MB in 1s (33.3 MB/s)
Preconfiguring packages ...
(Reading database ... 86244 files and directories currently installed.)
Preparing to unpack .../docker.io_20.10.21-0ubuntu1~18.04.3_amd64.deb ...
Unpacking docker.io (20.10.21-0ubuntu1~18.04.3) over (20.10.21-0ubuntu1~18.04.3) ...
Setting up docker.io (20.10.21-0ubuntu1~18.04.3) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

And execsnoop on bionic:
root@b-ipt:~# execsnoop-bpfcc -n tables
PCOMM PID PPID RET ARGS
iptables 28557 28524 0 /sbin/iptables --wait -t nat -L -n
iptables 28561 28524 0 /sbin/iptables --wait -L -n
iptables 28562 28524 0 /sbin/iptables --version
iptables 28563 28524 0 /sbin/iptables --wait -t filter -C FORWARD -j DOCKER-ISOLATION
iptables 28564 28524 0 /sbin/iptables --wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables 28566 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
iptables 28567 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
(...)

ubuntu@b-ipt:~$ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
69b1780a684a bridge bridge local
77b64dbf809d host host local
bb18e7f881ed none null local

And that was using the proposed version of iptables:
$ apt-cache policy iptables
iptables:
  Installed: 1.6.1-2ubuntu2.1
  Candidate: 1.6.1-2ubuntu2.1
  Version table:
*** 1.6.1-2ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

So this, plus the fact that the docker.io DEP8 tests passed on bionic too, should be good for bionic.

iptables in excuses triggers tests in other packages. The excuses report doesn't show the fully green results anymore, so it's easy to miss them.

I think we can consider the ufw dep8 tests as sufficient for the case of "normal iptables usage hasn't regressed".

17:12:30 TIME     TIME(s) UID   PCOMM            PID    PPID   RET ARGS
17:12:30 1.962   0     iptables         28768  28767    0 /usr/sbin/iptables --version
17:12:30 1.964   0     iptables         28773  28772    0 /usr/sbin/iptables --version
17:12:30 2.002   0     iptables         28817  28816    0 /usr/sbin/iptables -V
17:12:30 2.203   0     iptables         29060  29059    0 /usr/sbin/iptables -V
17:12:30 2.205   0     ip6tables        29062  29061    0 /sbin/ip6tables -L INPUT -n
17:12:30 2.205   0     iptables         29063  29061    0 /sbin/iptables -F ufw-logging-deny
17:12:30 2.206   0     iptables         29064  29061    0 /sbin/iptables -F ufw-logging-allow
(...)
17:12:30 2.552   0     iptables         29371  29225    0 /usr/sbin/iptables -D ufw-user-logging-forward -j RETURN
17:12:30 2.553   0     iptables         29372  29225    0 /usr/sbin/iptables -A ufw-after-logging-input -j LOG --log-prefix [UFW BLOCK]  -m limit --limit 3/min --limit-burst 10
17:12:30 2.553   0     iptables         29373  29225    0 /usr/sbin/iptables -A ufw-after-logging-forward -j LOG --log-prefix [UFW BLOCK]  -m limit --limit 3/min --limit-burst 10
17:12:30 2.554   0     iptables         29374  29225    0 /usr/sbin/iptables -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
17:12:30 2.555   0     iptables         29375  29225    0 /usr/sbin/iptables -A ufw-logging-deny -j LOG --log-prefix [UFW BLOCK]  -m limit --limit 3/min --limit-burst 10
17:12:30 2.555   0     iptables         29376  29225    0 /usr/sbin/iptables -A ufw-logging-allow -j LOG --log-prefix [UFW ALLOW]  -m limit --limit 3/min --limit-burst 10
17:12:30 2.556   0     iptables         29377  29225    0 /usr/sbin/iptables -D ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:30 2.557   0     iptables         29378  29225    0 /usr/sbin/iptables -I ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:31 2.601   0     iptables         29380  29379    0 /usr/sbin/iptables -V
17:12:31 2.609   0     iptables         29383  29057    0 /usr/sbin/iptables -L -n
(...)

# grep iptables d-t-root-unittest.log |wc -l
9389

All these while iptables from jammy-proposed was installed:
# apt-cache policy iptables
iptables:
  Installed: 1.8.7-1ubuntu5.1
  Candidate: 1.8.7-1ubuntu5.1
  Version table:
 *** 1.8.7-1ubuntu5.1 500
        500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages

With that in mind, let's confirm that the ufw dep8 tests ran with the iptables package from proposed for each ubuntu release:

# Kinetic
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/kinetic/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic/kinetic/amd64/u/ufw/20230515_201517_324f0@/log.gz

iptables from kinetic-proposed:
$ zgrep kinetic-proposed/main.*iptables log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu kinetic-proposed/main amd64 iptables amd64 1.8.7-1ubuntu6.1 [454 kB]

root-unittest passed:
$ zgrep ^root-unittest kinetic-log.gz 
root-unittest        PASS
root-unittest        PASS

# Jammy
Results yaml:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/u/ufw/20230516_174358_f55b2@/log.gz

iptables from jammy-proposed:
$ zgrep jammy-proposed/main.*iptables jammy-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu jammy-proposed/main amd64 iptables amd64 1.8.7-1ubuntu5.1 [455 kB]

root-unittest passed:
$ zgrep ^root-unittest jammy-log.gz 
root-unittest        PASS
root-unittest        PASS

# focal
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/focal/update_excuses.yaml.xz

ufw/amd64 log: https://autopkgtest.ubuntu.com/results/autopkgtest-focal/focal/amd64/u/ufw/20230518_023831_3747d@/log.gz

iptables from focal-proposed:
$ zgrep focal-proposed/main.*iptables focal-log.gz |head -n 1
Get:1 http://ftpmaster.internal/ubuntu focal-proposed/main amd64 iptables amd64 1.8.4-3ubuntu2.1 [390 kB]

root-unittest passed:
$ zgrep ^root-unittest focal-log.gz 
root-unittest        PASS
root-unittest        PASS

# bionic
Results yaml: https://ubuntu-archive-team.ubuntu.com/proposed-migration/bionic/update_excuses.yaml.xz

There is no ufw run for bionic (my luck). So let's pick something else. I thought about checking the docker.io DEP8 tests, since docker does use iptables to setup networking.

Turns out just by installing docker.io it already calls iptables multiple times via the service restart it does in postinst:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 docker.io amd64 20.10.21-0ubuntu1~18.04.3 [30.3 MB]
Fetched 30.3 MB in 1s (33.3 MB/s)    
Preconfiguring packages ...
(Reading database ... 86244 files and directories currently installed.)
Preparing to unpack .../docker.io_20.10.21-0ubuntu1~18.04.3_amd64.deb ...
Unpacking docker.io (20.10.21-0ubuntu1~18.04.3) over (20.10.21-0ubuntu1~18.04.3) ...
Setting up docker.io (20.10.21-0ubuntu1~18.04.3) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

And execsnoop on bionic:
root@b-ipt:~# execsnoop-bpfcc  -n tables
PCOMM            PID    PPID   RET ARGS
iptables         28557  28524    0 /sbin/iptables --wait -t nat -L -n
iptables         28561  28524    0 /sbin/iptables --wait -L -n
iptables         28562  28524    0 /sbin/iptables --version
iptables         28563  28524    0 /sbin/iptables --wait -t filter -C FORWARD -j DOCKER-ISOLATION
iptables         28564  28524    0 /sbin/iptables --wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables         28566  28524    0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
iptables         28567  28524    0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
(...)

ubuntu@b-ipt:~$ sudo docker network list
NETWORK ID     NAME      DRIVER    SCOPE
69b1780a684a   bridge    bridge    local
77b64dbf809d   host      host      local
bb18e7f881ed   none      null      local

And that was using the proposed version of iptables:
$ apt-cache policy iptables
iptables:
  Installed: 1.6.1-2ubuntu2.1
  Candidate: 1.6.1-2ubuntu2.1
  Version table:
 *** 1.6.1-2ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

So this, plus the fact that the docker.io DEP8 tests passed on bionic too, should be good for bionic.

Ubuntuiptables package

Comment 38 for bug 1992454

Ubuntu
iptables package