Hi, On Wed, Jul 20, 2022 at 06:11:19PM +0200, Erik Skultety wrote: [...] > Hmm, the only reason why I submitted this change is because our libvirt test > suite suddenly started failing on CentOS Stream 9 and only on CS9. Now, the > test suite is flawed in its own way checking libvirt actions against iptables > CLI output (yes, very fragile), but at the time the tests were written there > essentially wasn't a programatic way of checking the changes like we could do > today with the nftables library and its JSON formatter. > So I investigated what's changed on CentOS Stream 9 compared to CS8 or Fedora > 35/36 and it turned out that CS9 ships iptables-nft 1.8.8 while e.g. Fedora 36 > ships 1.8.7 (so we're bound to failures there as well in the future). > > Let me describe the output difference in between the 2 versions of iptables: > > < v1.8.8 > # ip6tables -L FI-tck-7081731 > Chain FI-tck-7081731 (1 references) > target prot opt source destination > RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f MAC01:02:03:04:05:06 DSCP match 0x02 ipv6-icmptype 12 code 11 ctstate NEW,ESTABLISHED > *** NOTE ^^HERE *** > > >= v1.8.8 > ip6tables -L FI-tck-7081731 > Chain FI-tck-7081731 (1 references) > target prot opt source destination > RETURN ipv6-icmp f:e:d::c:b:a/127 a:b:c::d:e:f MAC01:02:03:04:05:06 DSCP match 0x02 ipv6-icmptype 12 code 11 ctstate NEW,ESTABLISHED > *** NOTE ^^HERE *** > > If my detective work was correct it was caused by commit > b6196c7504d4d41827cea86c167926125cdbf1f3 which swapped the order of the > protocol keys in the 'xtables_chain_protos'. Yes, the goal was to avoid changes in output given typical /etc/protocol contents - it prefers "ipv6-icmp" over "icmpv6" for protocol 58 at least on my systems. I would suggest to not rely upon human-readable names for protocol numbers, but in fact there's no way out: iptables consolidates its internal protocol names list even if --numeric was given. Another bug I found while playing around is this: | # iptables -A FORWARD -p icmpv6 | # iptables -vnL FORWARD | Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | pkts bytes target prot opt in out source destination | 0 0 ipv6-icmp-- * * 0.0.0.0/0 0.0.0.0/0 print_rule_details() does not append a space after the protocol name if it is longer or equal to five characters. Both bugs seem to exist since day 1, I'm still tempted to fix them, i.e.: - Print protocol numbers with --numeric - Adjust the protocol format string from "%-5s" to "%-4s " for protocol names and from "%-5hu" to "%-4hu " for protocol numbers to force a single white space Objections anyone? Thanks, Phil
