Your message dated Tue, 29 Nov 2011 00:34:21 +0000
with message-id <e1rvbep-0008oo...@franck.debian.org>
and subject line Bug#637796: fixed in iptables-persistent 0.5.3
has caused the Debian Bug report #637796,
regarding "firewall rules not loaded at all"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
637796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: iptables-persistent
Version: 0.5.2
Severity: wishlist
Hello,
Trying to give a try to iptables-persistent, I fell onto the following
problem: I got "skipping IPv4 (no module loaded)" message at startup
(same for IPV6) whereas doing "up /sbin/iptables-restore <
/etc/iptables/rules.v4" in my /etc/network/interface load my iptables
rules at startup without any error.
The init script (load_rules) checks if /proc/net/ip_tables_names is
present before loading the rules, meaning that tables modules must be
loaded first. It seems that with current iptables and kernels shipped
with Debian, it is not necessary. If I comment the part with the
/proc/net/ip_tables_names test, my rules are loaded at startup.
man iptables states:
"-t, --table table
This option specifies the packet matching table which the command
should operate on. If the kernel is configured with automatic module
loading, an attempt will be made to load the appropriate module for
that table if it is not already there."
And kernels in Wheezy seem to automatic load the appropriate modules.
I understand that iptables-persistent should take into account other
kernels than the official Debian ones, but I still wonder if the test is
really necessary. If modules cannot be loaded automatically and if
/proc/net/ip_tables_names does not exist, iptables-restore will just
fail and the result will be the same (no rules loaded).
Moreover, the initscript checks if the table modules are loaded, not if
that other specific modules required by the rules in
/etc/iptables/rules.v4 can be loaded (but risk is limited here if the
rules.v4 is created with the debconf script or by
/etc/init.d/iptables-presistent save_rules).
There might be some good reasons doing it that way, I such case, please
disregard this bug report (and close it).
Best regards
Pascal Dormeau
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iptables-persistent depends on:
ii debconf [debconf-2.0] 1.5.40 Debian configuration management sy
ii iptables 1.4.12-1 administration tools for packet fi
ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip
iptables-persistent recommends no packages.
iptables-persistent suggests no packages.
-- Configuration Files:
/etc/init.d/iptables-persistent changed:
.. /lib/lsb/init-functions
rc=0
load_rules()
{
log_action_begin_msg "Loading iptables rules"
#load IPv4 rules
if [ -f /etc/iptables/rules.v4 ]; then
log_action_cont_msg " IPv4"
iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
#load IPv6 rules
if [ -f /etc/iptables/rules.v6 ]; then
log_action_cont_msg " IPv6"
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
save_rules()
{
log_action_begin_msg "Saving rules"
#save IPv4 rules
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables-save ]; then
log_action_cont_msg " IPv4"
iptables-save > /etc/iptables/rules.v4
if [ $? -ne 0 ]; then
rc=1
fi
fi
#save IPv6 rules
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables-save ]; then
log_action_cont_msg " IPv6"
ip6tables-save > /etc/iptables/rules.v6
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
flush_rules()
{
log_action_begin_msg "Flushing rules"
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables ]; then
log_action_cont_msg " IPv4"
for param in F Z X; do /sbin/iptables -$param; done
for table in $(</proc/net/ip_tables_names)
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -Z
/sbin/iptables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/iptables -P $chain ACCEPT
done
fi
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables ]; then
log_action_cont_msg " IPv6"
for param in F Z X; do /sbin/ip6tables -$param; done
for table in $(</proc/net/ip6_tables_names)
do
/sbin/ip6tables -t $table -F
/sbin/ip6tables -t $table -Z
/sbin/ip6tables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/ip6tables -P $chain ACCEPT
done
fi
log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc
-- debconf information:
* iptables-persistent/autosave_v6: true
* iptables-persistent/autosave_v4: true
--- End Message ---
--- Begin Message ---
Source: iptables-persistent
Source-Version: 0.5.3
We believe that the bug you reported is fixed in the latest version of
iptables-persistent, which is due to be installed in the Debian FTP archive:
iptables-persistent_0.5.3.dsc
to main/i/iptables-persistent/iptables-persistent_0.5.3.dsc
iptables-persistent_0.5.3.tar.gz
to main/i/iptables-persistent/iptables-persistent_0.5.3.tar.gz
iptables-persistent_0.5.3_all.deb
to main/i/iptables-persistent/iptables-persistent_0.5.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 637...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated iptables-persistent
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Nov 2011 23:19:39 +0000
Source: iptables-persistent
Binary: iptables-persistent
Architecture: source all
Version: 0.5.3
Distribution: unstable
Urgency: low
Maintainer: Jonathan Wiltshire <j...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description:
iptables-persistent - boot-time loader for iptables rules
Closes: 637796 637852 645523 650001
Changes:
iptables-persistent (0.5.3) unstable; urgency=low
.
* [09d9ae] Check for loaded modules in postinst (Closes: #637852)
* [521544] Fix Default-Start and Default-Stop fields of the LSB header in
the init script. Thanks to Andreas Rütten (Closes: #650001)
* [d17b2f] Revert checking for loaded modules at startup, as this isn't
necessary in newer versions ip{,6}tables-restore - instead check that there
is a rules file to be loaded. Ensure at least ip{,6}table_filter is loaded
during save (Closes: #637796)
* [71aa52] Tidy formatting and spacing in iptables-persistent.init
* [3fe51a] Debconf translations to Spanish.
Thanks to Francisco Javier Cuadrado (Closes: #645523)
Checksums-Sha1:
957cc452aa0ed5cc595e56dbaffd8ce5954cdd7e 1624 iptables-persistent_0.5.3.dsc
c5666a2a2f1bef58aae98f5cdb5fa9c16fd59655 10879 iptables-persistent_0.5.3.tar.gz
703202bd6dbd912c08e5510fe745da2fbed004de 8666 iptables-persistent_0.5.3_all.deb
Checksums-Sha256:
079add4952fa4f25b18ba302746c3de6818d7e455972811bb798e0a0b2080f3f 1624
iptables-persistent_0.5.3.dsc
3e4de9720efc5cc1e2deabeab13dd0da914ade52098ba97e60ad8ae13583b386 10879
iptables-persistent_0.5.3.tar.gz
4cce0c44e37dc56ad7f5dda5980280422324ed9621c9934fbbf1965292bb6b46 8666
iptables-persistent_0.5.3_all.deb
Files:
5addecdec4a0beca4c52eb3b431a1a6c 1624 admin optional
iptables-persistent_0.5.3.dsc
e15182101dc563d50279dd7334216ea0 10879 admin optional
iptables-persistent_0.5.3.tar.gz
010d3661cb5e5c539ca9f7e44d903ad6 8666 admin optional
iptables-persistent_0.5.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJO1CQvAAoJEFOUR53TUkxRiJ0P/AtUCun5Vhh7kpo9QuMA6xA1
AJyg7/7aH6zVEDbBPNoBHhOZsg9pNzvYvhdUudgDII+ahTxLuB27vpHBeXoINz+i
5w4tOVphnxZbf9aotl/dTqytjXQYmYK+HCV2RurgpBrz/1IJw3ZgHI/zwWMt7xh1
rUEb2qMr86xHQoxc5RyfrP7vm4ig7L3Vh4bSSCLfKX4xKJyr7SbrkbcKagfJcI11
63U8ZKyUZJkpgMZFUqB9gH4u5XUOMpIMWatM0pQYH4cBgMKsqRFYCtlfRqWssXHY
kLR0iHjiAmdcXeAtAW0MurYZTgvPi5WmiubYzDDakFH0NN8LfASszidWWGOwWlp9
n85zBDOQuC0e8P+Hq95wfmY5ywonbmJzLv7L13Qm1JHclHRm3WVI6Sj7+cBUfuM4
8J7xe1Mu56w4AvBw9KUDQwdNkDYjMwsLCqU549l68RiTsBUjplgX0rmHpaymluCu
H1MLRUPI5DHa13GxohD8ZR6SVelm8s3zULmdvIGkRMMW/HWBy5PCDa3gGjXxbcrm
k1DFrZBI4hC/A7ID+Ob3AI3eD+c37hG3WKY9Uoaad9c5hZDEJUgV4kdKRKlxoa1D
YXpPZyXT7UaaNzjMPv3F2Yd1ylocEo4qt25kPRd1FpXFPQ0xHSJMCQfk3q9460n+
a+TF7YFkB/ym5W+RbncX
=xsVu
-----END PGP SIGNATURE-----
--- End Message ---