iptables in excuses triggers tests in other packages. The excuses report doesn't show the fully green results anymore, so it's easy to miss them.
I think we can consider the ufw dep8 tests as sufficient for the case of "normal iptables usage hasn't regressed".
I ran the ufw debian/tests/root-unittest DEP8 test in a jammy vm, and checked with execsnoop that it was calling the real iptables during the tests, and not just pretending or calling a fake binary like the normal unittest test. I aborted it after a few minutes, because the extra logging was taking a lot of time, but here is a sample:
All these while iptables from jammy-proposed was installed:
# apt-cache policy iptables
iptables:
Installed: 1.8.7-1ubuntu5.1
Candidate: 1.8.7-1ubuntu5.1
Version table:
*** 1.8.7-1ubuntu5.1 500
500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
With that in mind, let's confirm that the ufw dep8 tests ran with the iptables package from proposed for each ubuntu release:
There is no ufw run for bionic (my luck). So let's pick something else. I thought about checking the docker.io DEP8 tests, since docker does use iptables to setup networking.
Turns out just by installing docker.io it already calls iptables multiple times via the service restart it does in postinst:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 docker.io amd64 20.10.21-0ubuntu1~18.04.3 [30.3 MB]
Fetched 30.3 MB in 1s (33.3 MB/s)
Preconfiguring packages ...
(Reading database ... 86244 files and directories currently installed.)
Preparing to unpack .../docker.io_20.10.21-0ubuntu1~18.04.3_amd64.deb ...
Unpacking docker.io (20.10.21-0ubuntu1~18.04.3) over (20.10.21-0ubuntu1~18.04.3) ...
Setting up docker.io (20.10.21-0ubuntu1~18.04.3) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
ubuntu@b-ipt:~$ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
69b1780a684a bridge bridge local
77b64dbf809d host host local
bb18e7f881ed none null local
And that was using the proposed version of iptables:
$ apt-cache policy iptables
iptables:
Installed: 1.6.1-2ubuntu2.1
Candidate: 1.6.1-2ubuntu2.1
Version table:
*** 1.6.1-2ubuntu2.1 500
500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
So this, plus the fact that the docker.io DEP8 tests passed on bionic too, should be good for bionic.
iptables in excuses triggers tests in other packages. The excuses report doesn't show the fully green results anymore, so it's easy to miss them.
I think we can consider the ufw dep8 tests as sufficient for the case of "normal iptables usage hasn't regressed".
I ran the ufw debian/ tests/root- unittest DEP8 test in a jammy vm, and checked with execsnoop that it was calling the real iptables during the tests, and not just pretending or calling a fake binary like the normal unittest test. I aborted it after a few minutes, because the extra logging was taking a lot of time, but here is a sample:
17:12:30 TIME TIME(s) UID PCOMM PID PPID RET ARGS logging- forward -j RETURN logging- input -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10 logging- forward -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10
17:12:30 1.962 0 iptables 28768 28767 0 /usr/sbin/iptables --version
17:12:30 1.964 0 iptables 28773 28772 0 /usr/sbin/iptables --version
17:12:30 2.002 0 iptables 28817 28816 0 /usr/sbin/iptables -V
17:12:30 2.203 0 iptables 29060 29059 0 /usr/sbin/iptables -V
17:12:30 2.205 0 ip6tables 29062 29061 0 /sbin/ip6tables -L INPUT -n
17:12:30 2.205 0 iptables 29063 29061 0 /sbin/iptables -F ufw-logging-deny
17:12:30 2.206 0 iptables 29064 29061 0 /sbin/iptables -F ufw-logging-allow
(...)
17:12:30 2.552 0 iptables 29371 29225 0 /usr/sbin/iptables -D ufw-user-
17:12:30 2.553 0 iptables 29372 29225 0 /usr/sbin/iptables -A ufw-after-
17:12:30 2.553 0 iptables 29373 29225 0 /usr/sbin/iptables -A ufw-after-
17:12:30 2.554 0 iptables 29374 29225 0 /usr/sbin/iptables -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
17:12:30 2.555 0 iptables 29375 29225 0 /usr/sbin/iptables -A ufw-logging-deny -j LOG --log-prefix [UFW BLOCK] -m limit --limit 3/min --limit-burst 10
17:12:30 2.555 0 iptables 29376 29225 0 /usr/sbin/iptables -A ufw-logging-allow -j LOG --log-prefix [UFW ALLOW] -m limit --limit 3/min --limit-burst 10
17:12:30 2.556 0 iptables 29377 29225 0 /usr/sbin/iptables -D ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:30 2.557 0 iptables 29378 29225 0 /usr/sbin/iptables -I ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix [UFW LIMIT BLOCK]
17:12:31 2.601 0 iptables 29380 29379 0 /usr/sbin/iptables -V
17:12:31 2.609 0 iptables 29383 29057 0 /usr/sbin/iptables -L -n
(...)
# grep iptables d-t-root- unittest. log |wc -l
9389
All these while iptables from jammy-proposed was installed: br.archive. ubuntu. com/ubuntu jammy-proposed/main amd64 Packages
# apt-cache policy iptables
iptables:
Installed: 1.8.7-1ubuntu5.1
Candidate: 1.8.7-1ubuntu5.1
Version table:
*** 1.8.7-1ubuntu5.1 500
500 http://
With that in mind, let's confirm that the ufw dep8 tests ran with the iptables package from proposed for each ubuntu release:
# Kinetic /ubuntu- archive- team.ubuntu. com/proposed- migration/ kinetic/ update_ excuses. yaml.xz
Results yaml: https:/
ufw/amd64 log: https:/ /autopkgtest. ubuntu. com/results/ autopkgtest- kinetic/ kinetic/ amd64/u/ ufw/20230515_ 201517_ 324f0@/ log.gz
iptables from kinetic-proposed: proposed/ main.*iptables log.gz |head -n 1 ftpmaster. internal/ ubuntu kinetic- proposed/ main amd64 iptables amd64 1.8.7-1ubuntu6.1 [454 kB]
$ zgrep kinetic-
Get:1 http://
root-unittest passed:
$ zgrep ^root-unittest kinetic-log.gz
root-unittest PASS
root-unittest PASS
# Jammy /ubuntu- archive- team.ubuntu. com/proposed- migration/ jammy/update_ excuses. yaml.xz
Results yaml:
https:/
ufw/amd64 log: https:/ /autopkgtest. ubuntu. com/results/ autopkgtest- jammy/jammy/ amd64/u/ ufw/20230516_ 174358_ f55b2@/ log.gz
iptables from jammy-proposed: main.*iptables jammy-log.gz |head -n 1 ftpmaster. internal/ ubuntu jammy-proposed/main amd64 iptables amd64 1.8.7-1ubuntu5.1 [455 kB]
$ zgrep jammy-proposed/
Get:1 http://
root-unittest passed:
$ zgrep ^root-unittest jammy-log.gz
root-unittest PASS
root-unittest PASS
# focal /ubuntu- archive- team.ubuntu. com/proposed- migration/ focal/update_ excuses. yaml.xz
Results yaml: https:/
ufw/amd64 log: https:/ /autopkgtest. ubuntu. com/results/ autopkgtest- focal/focal/ amd64/u/ ufw/20230518_ 023831_ 3747d@/ log.gz
iptables from focal-proposed: main.*iptables focal-log.gz |head -n 1 ftpmaster. internal/ ubuntu focal-proposed/main amd64 iptables amd64 1.8.4-3ubuntu2.1 [390 kB]
$ zgrep focal-proposed/
Get:1 http://
root-unittest passed:
$ zgrep ^root-unittest focal-log.gz
root-unittest PASS
root-unittest PASS
# bionic /ubuntu- archive- team.ubuntu. com/proposed- migration/ bionic/ update_ excuses. yaml.xz
Results yaml: https:/
There is no ufw run for bionic (my luck). So let's pick something else. I thought about checking the docker.io DEP8 tests, since docker does use iptables to setup networking.
Turns out just by installing docker.io it already calls iptables multiple times via the service restart it does in postinst: br.archive. ubuntu. com/ubuntu bionic- updates/ universe amd64 docker.io amd64 20.10.21- 0ubuntu1~ 18.04.3 [30.3 MB] io_20.10. 21-0ubuntu1~ 18.04.3_ amd64.deb ... 21-0ubuntu1~ 18.04.3) over (20.10. 21-0ubuntu1~ 18.04.3) ... 21-0ubuntu1~ 18.04.3) ...
(...)
Get:1 http://
Fetched 30.3 MB in 1s (33.3 MB/s)
Preconfiguring packages ...
(Reading database ... 86244 files and directories currently installed.)
Preparing to unpack .../docker.
Unpacking docker.io (20.10.
Setting up docker.io (20.10.
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
And execsnoop on bionic:
root@b-ipt:~# execsnoop-bpfcc -n tables
PCOMM PID PPID RET ARGS
iptables 28557 28524 0 /sbin/iptables --wait -t nat -L -n
iptables 28561 28524 0 /sbin/iptables --wait -L -n
iptables 28562 28524 0 /sbin/iptables --version
iptables 28563 28524 0 /sbin/iptables --wait -t filter -C FORWARD -j DOCKER-ISOLATION
iptables 28564 28524 0 /sbin/iptables --wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables 28566 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
iptables 28567 28524 0 /sbin/iptables --wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
(...)
ubuntu@b-ipt:~$ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
69b1780a684a bridge bridge local
77b64dbf809d host host local
bb18e7f881ed none null local
And that was using the proposed version of iptables: br.archive. ubuntu. com/ubuntu bionic- proposed/ main amd64 Packages
$ apt-cache policy iptables
iptables:
Installed: 1.6.1-2ubuntu2.1
Candidate: 1.6.1-2ubuntu2.1
Version table:
*** 1.6.1-2ubuntu2.1 500
500 http://
So this, plus the fact that the docker.io DEP8 tests passed on bionic too, should be good for bionic.