Package: iptables-persistent
Version: 1.0.11
Severity: important
root@jens:~# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
# Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see
them
There are no legacy tables present, though:
root@jens:~# iptables -nvL
Chain INPUT (policy ACCEPT 4768 packets, 551K bytes)
pkts bytes target prot opt in out source destination
[…]
1580 96616 RETURN all -- * * 0.0.0.0/00.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@jens:~# iptables-legacy -nvL
Chain INPUT (policy ACCEPT 586 packets, 39772 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 10 packets, 760 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 387 packets, 124K bytes)
pkts bytes target prot opt in out source destination
The warning comes because the legacy kernel modules are loaded.
Calling iptables-legacy will auto-load them, so we blacklist them…
root@jens:~# cat /etc/modprobe.d/iptables-legacy.conf
blacklist arptable_filter
blacklist ebtable_broute
blacklist ebtable_filter
blacklist ebtable_nat
blacklist ip6table_filter
blacklist ip6table_mangle
blacklist ip6table_nat
blacklist ip6table_raw
blacklist ip6table_security
blacklist iptable_filter
blacklist iptable_mangle
blacklist iptable_nat
blacklist iptable_raw
blacklist iptable_security
… but then it errors out like this:
root@jens:~# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
Warning: skipping IPv4 (Kernel support is missing)
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
/usr/share/netfilter-persistent/plugins.d/25-ip6tables: 36:
/usr/share/netfilter-persistent/plugins.d/25-ip6tables: log_action_cont_msg:
not found
run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with
return code 127
This is two errors in one (but the log_action_cont_msg bug
is already reported elsewhere so I’ll concentrate on the
15-ip4tables one (which probably also affects 25-ip6tables
though).
The code in question:
save_rules()
{
#save IPv4 rules
#need at least iptable_filter loaded:
modprobe -b -q iptable_filter || true
if [ ! -f /proc/net/ip_tables_names ]; then
echo "Warning: skipping IPv4 (Kernel support is
missing)"
This is doubly wrong. The iptable_filter module and
*especially* /proc/net/ip_tables_names are used ONLY
by iptables-legacy; see the following for details:
https://bugzilla.redhat.com/show_bug.cgi?id=1668007
Effectively, iptables-persistent in buster forces
the use of iptables-legacy ONLY.
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default
locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables-persistent depends on:
ii debconf [debconf-2.0] 1.5.71
ii iptables 1.8.2-4
ii netfilter-persistent 1.0.11
iptables-persistent recommends no packages.
iptables-persistent suggests no packages.
-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "C.UTF-8",
LC_MESSAGES = "en_GB.utf8",
LC_MEASUREMENT = "en_GB.utf8",
LC_PAPER = "en_GB.utf8",
LANG = "de_DE.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("de_DE.UTF-8").
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
iptables-persistent/autosave_v6: true
iptables-persistent/autosave_v4: true