Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
In case you consider https://bugs.debian.org/862485 ("fwsnort mustn't set iptables rules when purged") as RC (as the reporter does and I don't), please unblock fwsnort/1.6.5-4. In case you don't consider this RC and don't want to unblock fwsnort, please downgrade #862485 again accordingly. full debdiff: diff -Nru fwsnort-1.6.5/debian/changelog fwsnort-1.6.5/debian/changelog --- fwsnort-1.6.5/debian/changelog 2017-05-07 11:47:15.000000000 +0200 +++ fwsnort-1.6.5/debian/changelog 2017-05-14 22:57:20.000000000 +0200 @@ -1,3 +1,13 @@ +fwsnort (1.6.5-4) unstable; urgency=medium + + * QA upload. + * Flush all fwsnort firewall rules during prerm at package removal time + instead of restoring the firewall state from before "fwsnort + --ipt-apply" was called the last time at package purging time. + (Closes: #862485) + + -- Axel Beckert <a...@debian.org> Sun, 14 May 2017 22:57:20 +0200 + fwsnort (1.6.5-3) unstable; urgency=medium * QA upload. diff -Nru fwsnort-1.6.5/debian/fwsnort.postrm fwsnort-1.6.5/debian/fwsnort.postrm --- fwsnort-1.6.5/debian/fwsnort.postrm 2017-05-07 11:43:40.000000000 +0200 +++ fwsnort-1.6.5/debian/fwsnort.postrm 2017-05-14 21:05:27.000000000 +0200 @@ -5,12 +5,6 @@ # In case the user wants to purge the fwsnort package, we must manually remove # some files. if [ "$1" = "purge" ]; then - # Remove all fwsnort generated firewall rules - if [ -f /var/lib/fwsnort/fwsnort.save ]; then - echo "[+] Reverting to original iptables policy..." - grep -Fv FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore - fi - # Remove old log files (default directory) if [ -d /var/log/fwsnort ]; then find /var/log/fwsnort/ -type f -exec rm {} \; diff -Nru fwsnort-1.6.5/debian/fwsnort.prerm fwsnort-1.6.5/debian/fwsnort.prerm --- fwsnort-1.6.5/debian/fwsnort.prerm 1970-01-01 01:00:00.000000000 +0100 +++ fwsnort-1.6.5/debian/fwsnort.prerm 2017-05-14 22:34:17.000000000 +0200 @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +if [ "$1" = "remove" ]; then + FWSNORT_CHAINS=$(iptables -L -n | fgrep 'Chain FWSNORT' | awk '{print $2}') + if [ -n "${FWSNORT_CHAINS}" ]; then + # Remove all fwsnort generated firewall rules + fwsnort --ipt-flush + + # --ipt-flush doesn't remove the additional chains of fwsnort, but + # --ipt-revert is not recommended for cleaning up according to + # the man page. So do that manually. *sigh* + + # Remove all potential leftover references in other chains + iptables -D INPUT ! -i lo -j FWSNORT_INPUT || true + iptables -D FORWARD ! -i lo -j FWSNORT_FORWARD || true + iptables -D OUTPUT ! -o lo -j FWSNORT_OUTPUT || true + + # Remove remaining chains + for fwsnort_chain in ${FWSNORT_CHAINS} ; do + iptables -X "${fwsnort_chain}" + done + fi +fi +#DEBHELPER# + +exit 0 unblock fwsnort/1.6.5-4 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), (111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), (105, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.11.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)