Package: iptables-persistent Version: 1.0.11 Severity: important root@jens:~# netfilter-persistent save run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save # Warning: iptables-legacy tables present, use iptables-legacy-save to see them run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save # Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see them
There are no legacy tables present, though: root@jens:~# iptables -nvL Chain INPUT (policy ACCEPT 4768 packets, 551K bytes) pkts bytes target prot opt in out source destination […] 1580 96616 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them root@jens:~# iptables-legacy -nvL Chain INPUT (policy ACCEPT 586 packets, 39772 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10 packets, 760 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 387 packets, 124K bytes) pkts bytes target prot opt in out source destination The warning comes because the legacy kernel modules are loaded. Calling iptables-legacy will auto-load them, so we blacklist them… root@jens:~# cat /etc/modprobe.d/iptables-legacy.conf blacklist arptable_filter blacklist ebtable_broute blacklist ebtable_filter blacklist ebtable_nat blacklist ip6table_filter blacklist ip6table_mangle blacklist ip6table_nat blacklist ip6table_raw blacklist ip6table_security blacklist iptable_filter blacklist iptable_mangle blacklist iptable_nat blacklist iptable_raw blacklist iptable_security … but then it errors out like this: root@jens:~# netfilter-persistent save run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save Warning: skipping IPv4 (Kernel support is missing) run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save /usr/share/netfilter-persistent/plugins.d/25-ip6tables: 36: /usr/share/netfilter-persistent/plugins.d/25-ip6tables: log_action_cont_msg: not found run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 127 This is two errors in one (but the log_action_cont_msg bug is already reported elsewhere so I’ll concentrate on the 15-ip4tables one (which probably also affects 25-ip6tables though). The code in question: save_rules() { #save IPv4 rules #need at least iptable_filter loaded: modprobe -b -q iptable_filter || true if [ ! -f /proc/net/ip_tables_names ]; then echo "Warning: skipping IPv4 (Kernel support is missing)" This is doubly wrong. The iptable_filter module and *especially* /proc/net/ip_tables_names are used ONLY by iptables-legacy; see the following for details: https://bugzilla.redhat.com/show_bug.cgi?id=1668007 Effectively, iptables-persistent in buster forces the use of iptables-legacy ONLY. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables-persistent depends on: ii debconf [debconf-2.0] 1.5.71 ii iptables 1.8.2-4 ii netfilter-persistent 1.0.11 iptables-persistent recommends no packages. iptables-persistent suggests no packages. -- debconf information: perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "C.UTF-8", LC_MESSAGES = "en_GB.utf8", LC_MEASUREMENT = "en_GB.utf8", LC_PAPER = "en_GB.utf8", LANG = "de_DE.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("de_DE.UTF-8"). locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory iptables-persistent/autosave_v6: true iptables-persistent/autosave_v4: true