Bug 2236501
| Summary: | Cannot run iptables-restore with iptables 1.8.5-8 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | bartosz.bezak |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, jpeska, jwboyer, noonedeadpunk, psutter, qe-baseos-daemons, shdunne, todoleza, ykulkarn |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.9 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | iptables-1.8.5-10.el8_9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:51:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
bartosz.bezak
2023-08-31 13:16:13 UTC
noticed in openstack CI: https://paste.opendev.org/show/bChNEGSL52bI3R7At4b1/ Thanks for the report. We're in exception phase already, how urgently do you need this fixed? Ah, for a workaround, specify the desired chain policy (i.e., "ACCEPT" or "DROP") instead of "-". What is the purpose of explicitly specifying base chains as ':<NAME> - [0:0]' in a flushing restore call, BTW? From my perspective, it should be a noop, no? Thank you Phil for picking this one up quickly. We've already pinning iptables to 1.8.4 in our project container build pipeline - in Centos Stream 8 - https://review.opendev.org/c/openstack/kolla/+/893364 so it is not urgent for us. However this looks like a obvious bugfix backport omission, so probably easy fix, and it can be disruptive for users - as you can see in Additional info section - it was fixed almost 3 years ago upstream. Hereby requesting exception+ for this regression introduced by the package rebase. Jiri, please provide qa_ack+ and perform pre-verification based on either above scratch build or the c8s MR created for this ticket: https://gitlab.com/redhat/centos-stream/rpms/iptables/-/merge_requests/47 Thanks! Setting Verified:Tested given the scratch build passes CI (and the added test shows up in test logs). tested rpms from https://kojihub.stream.centos.org/koji/buildinfo?buildID=37005, looks good: dnf install iptables-1.8.5-9.el8.x86_64.rpm iptables-libs-1.8.5-9.el8.x86_64.rpm iptables-restore <<EOF > *filter > :INPUT - [0:0] > COMMIT > EOF echo $? 0 This is now affecting Puppet OpenStack project CI, and is blocking some backport work needed for RHOSP17.1. I'm wondering if we can get the fixed version released early in CentOS Stream 8 to unblock that, instead of implementing a tricky workaround to pin and downgrade iptables in multiple CI. This ticket has been approved for exception handling and therefore could still be added to the RHEL8.9 y-stream errata. Since you picked up the rebase pre-GA, I assume you're consuming nightly builds, so you should see the fixed package soon. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iptables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7184 |