Your message dated Sat, 22 Oct 2022 15:50:49 +0000
with message-id <[email protected]>
and subject line Bug#1022156: fixed in iptables-persistent 1.0.17
has caused the Debian Bug report #1022156,
regarding iptables-persistent: This patch allows optional testing of the
iptables/ip6tables rules using the --test flag to `iptables-restore` and
`ip6tables-restore` prior to loading them.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1022156: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022156
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: iptables-persistent
Severity: normal
Tags: patch upstream
Dear Maintainer,
* What led up to the situation? Errors in the rules file causes a
* blank set of rules to be loaded to the kernel. This patch means the
* existing rule set will remain loaded if the test of the new rules
* fails.
>From 68b596ba43e9a906512cefefd86717a6d5acfef2 Mon Sep 17 00:00:00 2001
From: Phillip Smith <[email protected]>
Date: Tue, 18 Oct 2022 12:44:41 +1100
Subject: [PATCH] Add option to test rules before loading.
If the rule set has an error, currently the load fails and the kernel is left
without a valid ruleset running. With this option, we call iptables-restore
with the --test flag prior to the actual load in order to detect errors before
we alter the running ruleset.
---
debian/netfilter-persistent.default | 6 ++++++
plugins/15-ip4tables | 12 ++++++++++--
plugins/25-ip6tables | 11 +++++++++--
3 files changed, 25 insertions(+), 4 deletions(-)
diff --git debian/netfilter-persistent.default
debian/netfilter-persistent.default
index cf92317..2131cab 100644
--- debian/netfilter-persistent.default
+++ debian/netfilter-persistent.default
@@ -14,3 +14,9 @@ FLUSH_ON_STOP=0
# is called with the start parameter
# IPTABLES_RESTORE_NOFLUSH=yes
# IP6TABLES_RESTORE_NOFLUSH=yes
+
+
+# Set to yes to test load the rules before applying them. This avoids loading
failure
+# from causing no rules to be loaded in the kernel
+# IPTABLES_TEST_RULESET=yes
+# IP6TABLES_TEST_RULESET=yes
diff --git plugins/15-ip4tables plugins/15-ip4tables
index a29ab4f..adbbcd3 100755
--- plugins/15-ip4tables
+++ plugins/15-ip4tables
@@ -30,9 +30,17 @@ load_rules()
#load IPv4 rules
if [ ! -f /etc/iptables/rules.v4 ]; then
echo "Warning: skipping IPv4 (no rules to load)"
- else
- iptables-restore $NOFLUSH < /etc/iptables/rules.v4
+ return
+ fi
+
+ if [ "${IPTABLES_TEST_RULESET}x" = "yesx" ] ; then
+ if ! iptables-restore --test $NOFLUSH < /etc/iptables/rules.v4 ; then
+ echo "Error: IPv4 rules failed test load. New rules NOT loaded"
+ return
+ fi
fi
+
+ iptables-restore $NOFLUSH < /etc/iptables/rules.v4
}
save_rules()
diff --git plugins/25-ip6tables plugins/25-ip6tables
index 90b213e..aa2adf3 100755
--- plugins/25-ip6tables
+++ plugins/25-ip6tables
@@ -33,9 +33,16 @@ load_rules()
#load IPv6 rules
if [ ! -f /etc/iptables/rules.v6 ]; then
echo "Warning: skipping IPv6 (no rules to load)"
- else
- ip6tables-restore $NOFLUSH < /etc/iptables/rules.v6
fi
+
+ if [ "${IP6TABLES_TEST_RULESET}x" = "yesx" ] ; then
+ if ! ip6tables-restore --test $NOFLUSH < /etc/iptables/rules.v6 ; then
+ echo "Error: IPv6 rules failed test load. New rules NOT loaded"
+ return
+ fi
+ fi
+
+ ip6tables-restore $NOFLUSH < /etc/iptables/rules.v6
}
save_rules()
--
2.36.0
--- End Message ---
--- Begin Message ---
Source: iptables-persistent
Source-Version: 1.0.17
Done: gustavo panizzo <[email protected]>
We believe that the bug you reported is fixed in the latest version of
iptables-persistent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gustavo panizzo <[email protected]> (supplier of updated iptables-persistent
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 22 Oct 2022 17:13:17 +0200
Source: iptables-persistent
Binary: ipset-persistent iptables-persistent netfilter-persistent
Architecture: source all
Version: 1.0.17
Distribution: unstable
Urgency: medium
Maintainer: gustavo panizzo <[email protected]>
Changed-By: gustavo panizzo <[email protected]>
Description:
ipset-persistent - boot-time loader for netfilter rules, ipset plugin
iptables-persistent - boot-time loader for netfilter rules, iptables plugin
netfilter-persistent - boot-time loader for netfilter configuration
Closes: 1022156
Changes:
iptables-persistent (1.0.17) unstable; urgency=medium
.
* [e12f28] Test rules before loading them.
Thanks to Phillip Smith (Closes: 1022156)
* [1d3e87] Standards version 4.6.1.0 (no changes)
Checksums-Sha1:
8690c60bb22579c406a161b5a3d156119e3fd97b 1179 iptables-persistent_1.0.17.dsc
d92236e66bbc2145a3c6f81f9933f41876c86582 16996
iptables-persistent_1.0.17.tar.xz
8d004eaa1d433a209241ab86e0b1a874eeff4a91 4960 ipset-persistent_1.0.17_all.deb
9d7ba63a18e06e8d089f65d6e60ed9d1cb6c2599 7956
iptables-persistent_1.0.17_all.deb
106757605a7859c03eaf6af367d57587cbf654ed 5951
iptables-persistent_1.0.17_amd64.buildinfo
02b6aff629453b9b6157e8acd998c1747e0032b0 6684
netfilter-persistent_1.0.17_all.deb
Checksums-Sha256:
5dc7a2b13094bd391f6577d3ebeef34f9423641b01d5aec151fb73b2c24de48a 1179
iptables-persistent_1.0.17.dsc
ce2039bccfffad1db3eb4eba2a3c749decb159e29843ea542eb1665bdcf27b49 16996
iptables-persistent_1.0.17.tar.xz
b199b9489534a7d5233e1e411bacd2947526c8b3608a36ea3854c95cd2afb230 4960
ipset-persistent_1.0.17_all.deb
79fd047385e2ededbaab3e6d5d5c3e01957a948aaa0eca41c1f15e7a1990a927 7956
iptables-persistent_1.0.17_all.deb
13ca7a911caccd64f29d25700a68e2419ad7685cd7a822f68d85a38232a29995 5951
iptables-persistent_1.0.17_amd64.buildinfo
1f0e63264e53f6018e1db947c737907b223052585310fee068ba1d4dd914c227 6684
netfilter-persistent_1.0.17_all.deb
Files:
df468829f85dcefd03b910df24555cdb 1179 admin optional
iptables-persistent_1.0.17.dsc
26d4a478aaa7ebd46ebc91672b0dd068 16996 admin optional
iptables-persistent_1.0.17.tar.xz
6b684b8347c4285db4d6bddbad05a1da 4960 admin optional
ipset-persistent_1.0.17_all.deb
dbf68e36e68179d553fb949ea8c3cfaa 7956 admin optional
iptables-persistent_1.0.17_all.deb
b3d0d29d748f1b9e538922e474512e19 5951 admin optional
iptables-persistent_1.0.17_amd64.buildinfo
caeafc83e1ab1f5db153301591eae250 6684 admin optional
netfilter-persistent_1.0.17_all.deb
-----BEGIN PGP SIGNATURE-----
iIcEARYIAC8WIQTkGI+jpc9SWQ7CddoQSYArGj12RgUCY1QL/hEcZ2ZhQHp1bWJp
LmNvbS5hcgAKCRAQSYArGj12Rn2mAP98kq9l3W7A6z2NmCrStUE3+YiYXRbP54Bt
QfJ7t8VkwAEAs9MlIWXpsZqj4ublp/KVD3OWkQI+XubDvJ9sx8KJrwM=
=B0sQ
-----END PGP SIGNATURE-----
--- End Message ---
