Package: ferm Version: 2.3-2 Severity: grave Ferm is broken in stretch for any rule set which contains resolve() statements. (There might be others relying on network, didn't check). This got introduced in 2.3-2, which now uses a Wants:/Before: network-pre.target
In jessie, no systemd unit was provided and the sysvinit script translated to # systemctl cat ferm # /run/systemd/generator.late/ferm.service # Automatically generated by systemd-sysv-generator [Unit] SourcePath=/etc/init.d/ferm Description=LSB: ferm firewall configuration DefaultDependencies=no Before=sysinit.target After=network-online.target remote-fs.target Wants=network-online.target But since ferm.service is now executed before the network is up, any rule containing a resolve() statement now leads to a ferm startup failure: # journalctl -u ferm -- Logs begin at Wed 2017-05-31 10:53:35 UTC, end at Wed 2017-05-31 11:40:57 UTC. -- May 31 10:53:38 ms-be2001 ferm[1038]: Starting Firewall: fermError in /etc/ferm/conf.d/10_example line 4: May 31 10:53:38 ms-be2001 ferm[1038]: just.example.org May 31 10:53:38 ms-be2001 ferm[1038]: ) May 31 10:53:38 ms-be2001 ferm[1038]: May 31 10:53:38 ms-be2001 ferm[1038]: ) May 31 10:53:38 ms-be2001 ferm[1038]: <-- May 31 10:53:38 ms-be2001 ferm[1038]: DNS query for 'just.example.org' failed: query timed out May 31 10:53:38 ms-be2001 ferm[1038]: failed! May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Main process exited, code=exited, status=101/n/a May 31 10:53:38 ms-be2001 systemd[1]: Failed to start ferm firewall configuration. May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Unit entered failed state. May 31 10:53:38 ms-be2001 systemd[1]: ferm.service: Failed with result 'exit-code'. I'm setting severity to "grave" since this breaks existing setups during the update from jessie to stretch. Possible fixes: - Revert to the status quo from jessie by reverting the changes from 2.3-2 (ugly) - Split into two services, e.g. ferm-base.service loading a base rule set which runs on network-pre.target and ferm-extended.service which runs on nss-lookup.target or network.target Cheers, Moritz