Your message dated Thu, 30 Jan 2020 17:15:28 +0100 with message-id <[email protected]> and subject line has caused the Debian Bug report #867560, regarding netfilter-persistent fails randomly during boot; restarting later works to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 867560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867560 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: netfilter-persistent Version: 1.0.4+nmu2 Severity: grave Tags: security Justification: renders package unusable Dear Maintainer, * What led up to the situation? Upgrading from jessie to stretch. On two Debian systems, netfilter-persistent worked fine in jessie but randomly fails to load rules.v4 and/or rules.v6 during boot. Most of the time, at least one of these fails. Restarting later works fine. * What exactly did you do (or not do) that was effective (or ineffective)? 1) # apt-get purge iptables-persistent netfilter-persistent && apt-get install iptables-persistent 2) Edit /usr/share/netfilter-persistent/plugins.d/15-ip4tables and /usr/share/netfilter-persistent/plugins.d/25-ip6tables so /sbin/ip(6)tables-restore writes errors to a file instead of /dev/null 3) # systemctl restart netfilter-persistent * What was the outcome of this action? 1) No effect. 2) iptables-restore: line 33 failed ip6tables-restore: line 25 failed (These are the last lines of rules.v4 and rules.v6, each saying "COMMIT", respectively.) 3) Works (until next reboot). Since "systemctl restart netfilter-persistent" works just fine, I think it might have to do with the patch suggested in #819693. Starting with stretch, the unit file switched from network.target to network-pre.target. While network-pre.target is in theory intended for firewall use, I think network-pre.target might make it impossible to reference specific interfaces within iptables rules (e.g. "-A INPUT -i lo -j ACCEPT"). -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages netfilter-persistent depends on: ii init-system-helpers 1.48 ii lsb-base 9.20161125 netfilter-persistent recommends no packages. Versions of packages netfilter-persistent suggests: ii iptables-persistent 1.0.4+nmu2 -- no debconf information
--- End Message ---
--- Begin Message ---Hello David there is no response from you (or anybody else) in a few years, I'll proceed to close this ticket. If you can reproduce this bug with the current version in sid, please re open. thanks! -- IRC: gfa GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5 OLD GPG: 0x44BB1BA79F6C6333
--- End Message ---
