FS#60062 - [iptables] Missing ebtables-save, ebtables-restore scripts

Attached to Project: Arch Linux
Opened by Deposite Pirate (dpirate) - Friday, 14 September 2018, 17:28 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Monday, 24 September 2018, 07:39 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Ronald van Haren (pressh)
Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description:

The ebtables packages was recently obsoleted and ebtables is now part of the iptables packages. The packages does
include '/usr/lib/systemd/system/ebtables.service' and '/usr/lib/systemd/scripts/ebtables' which require 'ebtables-restore' and 'ebtables-save' to work. These are missing from the package. Furthermore, the /etc/ebtables.conf file is also missing. The existing /etc/ebtables.conf after upgrade has .pacsave appended to it. This is a critical bug that can easily break hosts making them completely unreachable without physical access to them. Some people using ebtables (for example BROUTING) are going to have a nasty surprise if they restart their router before this gets fixed.

Additional info:

iptables-1.8.0-1
iptables-1.8.0-2
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Monday, 24 September 2018, 07:39 GMT
Reason for closing:  Fixed
Additional comments about closing:  Downgraded to 1.6.x.
Comment by loqs (loqs) - Friday, 14 September 2018, 23:01 GMT
Also seems usr/lib/systemd/scripts/arptables references arptables-restore, arptables-save and the config file /etc/arptables.conf which are not provided either.
Comment by Deposite Pirate (dpirate) - Saturday, 15 September 2018, 08:25 GMT
Another problem also is the ebtables included with iptables 1.8.0 has no support for BROUTING. The regular ebtables needs to be restored until this is fixed as well.
Comment by nfnty (nfnty) - Saturday, 15 September 2018, 15:45 GMT
Most features are broken with the new `ebtables`. Man page is missing as well.
Comment by James (slimjim2234) - Wednesday, 19 September 2018, 11:55 GMT
Firewalld will not work properly without ebtables-restore and ebtables-save or the iptables equivalent. The routing tables get flushed upon shutting down or restarting firewalld. My only workaround as of now is to not use firewalld until iptables completely implements obsolete ebtables functionality.
Comment by Bartłomiej Piotrowski (Barthalion) - Wednesday, 19 September 2018, 12:49 GMT
Ronald, why did you move new iptables from testing? It was there exactly because of such issues.
Comment by Ronald van Haren (pressh) - Wednesday, 19 September 2018, 12:54 GMT
My mistake, I was unaware. Shall I push a force downgrade to 1.6.x?
Comment by Bartłomiej Piotrowski (Barthalion) - Wednesday, 19 September 2018, 12:57 GMT
Yeah, the fastest way will be a revert + epoch.
Comment by Ronald van Haren (pressh) - Wednesday, 19 September 2018, 13:20 GMT
Just pushed 1.6.2 to [testing]. Can you signoff so I can move this quickly?

I'll add the latest 1.8 back to testing after.
Comment by ILMostro (ILMostro) - Thursday, 20 September 2018, 01:28 GMT
Dowgrade fails

:: Synchronizing package databases...
testing is up to date
core is up to date
extra is up to date
community-testing is up to date
community is up to date
multilib-testing is up to date
multilib is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
:: installing iptables (1:1.6.2-3) breaks dependency 'ebtables' required by docker-machine-driver-kvm2
:: installing iptables (1:1.6.2-3) breaks dependency 'ebtables' required by docker-machine-kvm
:: installing iptables (1:1.6.2-3) breaks dependency 'ebtables' required by firewalld

Comment by Eli Schwartz (eschwartz) - Thursday, 20 September 2018, 02:49 GMT
This happens because a --sysupgrade *removed* the iptables package that provides ebtables, and there is nothing telling pacman to *install* a package which does provide it.

So, it breaks the dependency.

The solution is to pacman -Syu ebtables

Or pacman -Syu firewalld (or any other package which in the general case is missing such a dependency), which will *reinstall* firewalld while at the same time, re-pulling all its dependencies, thereby adding extra/ebtables to the "to-be-installed" list. Which causes the dependencies to match, and the upgrade can go through.

There's really no way to solve this outside of that, though.
Comment by Bartłomiej Piotrowski (Barthalion) - Thursday, 20 September 2018, 09:30 GMT
I have rebuild firewalld so pacman is able to correctly install ebtables from [extra] now. I can't do anything about AUR packages though.
Comment by Sébastien Luttringer (seblu) - Saturday, 22 September 2018, 22:08 GMT
Despite upgrade to testing/1:1.6.2-3, a pacman upgrade (-Su) proprose to replace arptables and ebtables by iptables and to upgrade it to 1.8.0.

# pacman -S iptables arptables ebtables
...
# pacman -Ss ^iptables
testing/iptables 1:1.6.2-3 [installed]
Linux kernel packet control tool
core/iptables 1.8.0-1 [installed: 1:1.6.2-3]
Linux kernel packet control tool
# pacman -Su
:: Starting full system upgrade...
:: Replace arptables with core/iptables? [Y/n]
:: Replace ebtables with core/iptables? [Y/n]
resolving dependencies...
looking for conflicting packages...

Package (3) Old Version New Version Net Change

arptables 0.0.4-5 -0,07 MiB
ebtables 2.0.10_4-6 -0,23 MiB
core/iptables 1:1.6.2-3 1.8.0-1 0,16 MiB

Total Installed Size: 2,36 MiB
Net Upgrade Size: -0,14 MiB

:: Proceed with installation? [Y/n]

I think we should not let both packages too long in the repos.
Comment by ILMostro (ILMostro) - Sunday, 23 September 2018, 04:11 GMT
The resolution and explanation from @eschwartz has worked, btw.
For the time being, excluding the iptables-1.8.0 package works as expected until the fix gets pushed in a subsequent version.

Apparently, iptables-1.8.0-1 and 1.8.0-2 have not resolved the issue, as far as I understand it.

Loading...