Bug#963340: (no subject)

gustavo panizzo Thu, 12 Nov 2020 13:31:16 -0800

Hello Adam/release team

can you comment if the attached patch [1] is acceptable for inclusion in the
next stable update?


It addresses #961589, #963012 and the flushing rules logic [2]?

[1] also in salsa, https://salsa.debian.org/debian/iptables-persistent/-/compare/0b041b4bdeb590a58c34aadd6a44c8eef68a09ca...buster[2] https://salsa.debian.org/debian/iptables-persistent/-/commit/e8046c6d0434e229f4ca1732ecfa72816bddaf1c

thanks again
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333

diff -Nru iptables-persistent-1.0.11/debian/changelog 
iptables-persistent-1.0.11+deb10u1/debian/changelog
--- iptables-persistent-1.0.11/debian/changelog 2019-02-09 05:36:39.000000000 
+0100
+++ iptables-persistent-1.0.11+deb10u1/debian/changelog 2020-11-12 
22:12:57.000000000 +0100
@@ -1,3 +1,15 @@
+iptables-persistent (1.0.11+deb10u1) buster; urgency=medium
+
+  * [cdc4a5] Do not load modules.
+    Thanks to Thorsten Glaser <t...@mirbsd.de>
+    (Closes: #963012)
+  * [cdc4a5] Do not call log_action_cont_msg()
+    Thanks to Synthea <genom...@firemail.cc>
+    (Closes: #961589)
+  * [b6e6f9] Backport the logic to flush rules from 1.0.14
+
+ -- gustavo panizzo <g...@zumbi.com.ar>  Thu, 12 Nov 2020 21:12:57 +0000
+
 iptables-persistent (1.0.11) unstable; urgency=medium
 
   * [e491d7] Make iptables-persistent to Pre-Depends on iptables.
diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables 
iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables
--- iptables-persistent-1.0.11/plugins/15-ip4tables     2019-02-09 
03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables     2020-11-12 
22:12:40.000000000 +0100
@@ -27,34 +27,26 @@
 save_rules()
 {
        #save IPv4 rules
-       #need at least iptable_filter loaded:
-       modprobe -b -q iptable_filter || true
-       if [ ! -f /proc/net/ip_tables_names ]; then
-               echo "Warning: skipping IPv4 (Kernel support is missing)"
-        else
-               touch /etc/iptables/rules.v4
-               chmod 0640 /etc/iptables/rules.v4
-               iptables-save > /etc/iptables/rules.v4
-       fi
+       touch /etc/iptables/rules.v4
+       chmod 0640 /etc/iptables/rules.v4
+       iptables-save > /etc/iptables/rules.v4
 }
 
 flush_rules()
 {
-       if [ ! -f /proc/net/ip_tables_names ]; then
-               log_action_cont_msg "Warning: skipping IPv4 (Kernel support is 
missing)"
-        elif [ $(which iptables) ]; then
-               for chain in INPUT FORWARD OUTPUT
-               do
-                       iptables -P $chain ACCEPT
-               done
-               for param in F Z X; do iptables -$param; done
-               for table in $(cat /proc/net/ip_tables_names)
-               do
-                       iptables -t $table -F
-                       iptables -t $table -Z
-                       iptables -t $table -X
-               done
-       fi
+    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            iptables -t $table -P $chain ACCEPT || true
+        done
+        iptables -t $table -F
+        iptables -t $table -Z
+        iptables -t $table -X
+    done
 }
 
 case "$1" in
diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables 
iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables
--- iptables-persistent-1.0.11/plugins/25-ip6tables     2019-02-09 
03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables     2020-11-12 
22:12:40.000000000 +0100
@@ -30,34 +30,26 @@
 save_rules()
 {
        #save IPv6 rules
-       #need at least ip6table_filter loaded:
-       modprobe -b -q ip6table_filter || true
-       if [ ! -f /proc/net/ip6_tables_names ]; then
-               log_action_cont_msg "Warning: skipping IPv6 (Kernel support is 
missing)"
-       else
-               touch /etc/iptables/rules.v6
-               ip6tables-save > /etc/iptables/rules.v6
-               chmod 0640 /etc/iptables/rules.v6
-       fi
+       touch /etc/iptables/rules.v6
+       ip6tables-save > /etc/iptables/rules.v6
+       chmod 0640 /etc/iptables/rules.v6
 }
 
 flush_rules()
 {
-       if [ ! -f /proc/net/ip6_tables_names ]; then
-               echo "Warning: skipping IPv6 (Kernel support is missing)"
-        elif [ $(which ip6tables) ]; then
-               for chain in INPUT FORWARD OUTPUT
-               do
-                       ip6tables -P $chain ACCEPT
-               done
-               for param in F Z X; do ip6tables -$param; done
-               for table in $(cat /proc/net/ip6_tables_names)
-               do
-                       ip6tables -t $table -F
-                       ip6tables -t $table -Z
-                       ip6tables -t $table -X
-               done
-       fi
+    TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            ip6tables -t $table -P $chain ACCEPT || true
+        done
+        ip6tables -t $table -F
+        ip6tables -t $table -Z
+        ip6tables -t $table -X
+    done
 }
 
 case "$1" in

Bug#963340: (no subject)

Reply via email to