Your message dated Tue, 29 Nov 2011 00:34:21 +0000 with message-id <e1rvbep-0008oo...@franck.debian.org> and subject line Bug#637796: fixed in iptables-persistent 0.5.3 has caused the Debian Bug report #637796, regarding "firewall rules not loaded at all" to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 637796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: iptables-persistent Version: 0.5.2 Severity: wishlist Hello, Trying to give a try to iptables-persistent, I fell onto the following problem: I got "skipping IPv4 (no module loaded)" message at startup (same for IPV6) whereas doing "up /sbin/iptables-restore < /etc/iptables/rules.v4" in my /etc/network/interface load my iptables rules at startup without any error. The init script (load_rules) checks if /proc/net/ip_tables_names is present before loading the rules, meaning that tables modules must be loaded first. It seems that with current iptables and kernels shipped with Debian, it is not necessary. If I comment the part with the /proc/net/ip_tables_names test, my rules are loaded at startup. man iptables states: "-t, --table table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there." And kernels in Wheezy seem to automatic load the appropriate modules. I understand that iptables-persistent should take into account other kernels than the official Debian ones, but I still wonder if the test is really necessary. If modules cannot be loaded automatically and if /proc/net/ip_tables_names does not exist, iptables-restore will just fail and the result will be the same (no rules loaded). Moreover, the initscript checks if the table modules are loaded, not if that other specific modules required by the rules in /etc/iptables/rules.v4 can be loaded (but risk is limited here if the rules.v4 is created with the debconf script or by /etc/init.d/iptables-presistent save_rules). There might be some good reasons doing it that way, I such case, please disregard this bug report (and close it). Best regards Pascal Dormeau -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables-persistent depends on: ii debconf [debconf-2.0] 1.5.40 Debian configuration management sy ii iptables 1.4.12-1 administration tools for packet fi ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip iptables-persistent recommends no packages. iptables-persistent suggests no packages. -- Configuration Files: /etc/init.d/iptables-persistent changed: .. /lib/lsb/init-functions rc=0 load_rules() { log_action_begin_msg "Loading iptables rules" #load IPv4 rules if [ -f /etc/iptables/rules.v4 ]; then log_action_cont_msg " IPv4" iptables-restore < /etc/iptables/rules.v4 2> /dev/null if [ $? -ne 0 ]; then rc=1 fi fi #load IPv6 rules if [ -f /etc/iptables/rules.v6 ]; then log_action_cont_msg " IPv6" ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null if [ $? -ne 0 ]; then rc=1 fi fi log_action_end_msg $rc } save_rules() { log_action_begin_msg "Saving rules" #save IPv4 rules if [ ! -f /proc/net/ip_tables_names ]; then log_action_cont_msg " skipping IPv4 (no module loaded)" elif [ -x /sbin/iptables-save ]; then log_action_cont_msg " IPv4" iptables-save > /etc/iptables/rules.v4 if [ $? -ne 0 ]; then rc=1 fi fi #save IPv6 rules if [ ! -f /proc/net/ip6_tables_names ]; then log_action_cont_msg " skipping IPv6 (no module loaded)" elif [ -x /sbin/ip6tables-save ]; then log_action_cont_msg " IPv6" ip6tables-save > /etc/iptables/rules.v6 if [ $? -ne 0 ]; then rc=1 fi fi log_action_end_msg $rc } flush_rules() { log_action_begin_msg "Flushing rules" if [ ! -f /proc/net/ip_tables_names ]; then log_action_cont_msg " skipping IPv4 (no module loaded)" elif [ -x /sbin/iptables ]; then log_action_cont_msg " IPv4" for param in F Z X; do /sbin/iptables -$param; done for table in $(</proc/net/ip_tables_names) do /sbin/iptables -t $table -F /sbin/iptables -t $table -Z /sbin/iptables -t $table -X done for chain in INPUT FORWARD OUTPUT do /sbin/iptables -P $chain ACCEPT done fi if [ ! -f /proc/net/ip6_tables_names ]; then log_action_cont_msg " skipping IPv6 (no module loaded)" elif [ -x /sbin/ip6tables ]; then log_action_cont_msg " IPv6" for param in F Z X; do /sbin/ip6tables -$param; done for table in $(</proc/net/ip6_tables_names) do /sbin/ip6tables -t $table -F /sbin/ip6tables -t $table -Z /sbin/ip6tables -t $table -X done for chain in INPUT FORWARD OUTPUT do /sbin/ip6tables -P $chain ACCEPT done fi log_action_end_msg 0 } case "$1" in start|restart|reload|force-reload) load_rules ;; save) save_rules ;; stop) # Why? because if stop is used, the firewall gets flushed for a variable # amount of time during package upgrades, leaving the machine vulnerable # It's also not always desirable to flush during purge echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" ;; flush) flush_rules ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 ;; esac exit $rc -- debconf information: * iptables-persistent/autosave_v6: true * iptables-persistent/autosave_v4: true
--- End Message ---
--- Begin Message ---Source: iptables-persistent Source-Version: 0.5.3 We believe that the bug you reported is fixed in the latest version of iptables-persistent, which is due to be installed in the Debian FTP archive: iptables-persistent_0.5.3.dsc to main/i/iptables-persistent/iptables-persistent_0.5.3.dsc iptables-persistent_0.5.3.tar.gz to main/i/iptables-persistent/iptables-persistent_0.5.3.tar.gz iptables-persistent_0.5.3_all.deb to main/i/iptables-persistent/iptables-persistent_0.5.3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 637...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Wiltshire <j...@debian.org> (supplier of updated iptables-persistent package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 28 Nov 2011 23:19:39 +0000 Source: iptables-persistent Binary: iptables-persistent Architecture: source all Version: 0.5.3 Distribution: unstable Urgency: low Maintainer: Jonathan Wiltshire <j...@debian.org> Changed-By: Jonathan Wiltshire <j...@debian.org> Description: iptables-persistent - boot-time loader for iptables rules Closes: 637796 637852 645523 650001 Changes: iptables-persistent (0.5.3) unstable; urgency=low . * [09d9ae] Check for loaded modules in postinst (Closes: #637852) * [521544] Fix Default-Start and Default-Stop fields of the LSB header in the init script. Thanks to Andreas Rütten (Closes: #650001) * [d17b2f] Revert checking for loaded modules at startup, as this isn't necessary in newer versions ip{,6}tables-restore - instead check that there is a rules file to be loaded. Ensure at least ip{,6}table_filter is loaded during save (Closes: #637796) * [71aa52] Tidy formatting and spacing in iptables-persistent.init * [3fe51a] Debconf translations to Spanish. Thanks to Francisco Javier Cuadrado (Closes: #645523) Checksums-Sha1: 957cc452aa0ed5cc595e56dbaffd8ce5954cdd7e 1624 iptables-persistent_0.5.3.dsc c5666a2a2f1bef58aae98f5cdb5fa9c16fd59655 10879 iptables-persistent_0.5.3.tar.gz 703202bd6dbd912c08e5510fe745da2fbed004de 8666 iptables-persistent_0.5.3_all.deb Checksums-Sha256: 079add4952fa4f25b18ba302746c3de6818d7e455972811bb798e0a0b2080f3f 1624 iptables-persistent_0.5.3.dsc 3e4de9720efc5cc1e2deabeab13dd0da914ade52098ba97e60ad8ae13583b386 10879 iptables-persistent_0.5.3.tar.gz 4cce0c44e37dc56ad7f5dda5980280422324ed9621c9934fbbf1965292bb6b46 8666 iptables-persistent_0.5.3_all.deb Files: 5addecdec4a0beca4c52eb3b431a1a6c 1624 admin optional iptables-persistent_0.5.3.dsc e15182101dc563d50279dd7334216ea0 10879 admin optional iptables-persistent_0.5.3.tar.gz 010d3661cb5e5c539ca9f7e44d903ad6 8666 admin optional iptables-persistent_0.5.3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJO1CQvAAoJEFOUR53TUkxRiJ0P/AtUCun5Vhh7kpo9QuMA6xA1 AJyg7/7aH6zVEDbBPNoBHhOZsg9pNzvYvhdUudgDII+ahTxLuB27vpHBeXoINz+i 5w4tOVphnxZbf9aotl/dTqytjXQYmYK+HCV2RurgpBrz/1IJw3ZgHI/zwWMt7xh1 rUEb2qMr86xHQoxc5RyfrP7vm4ig7L3Vh4bSSCLfKX4xKJyr7SbrkbcKagfJcI11 63U8ZKyUZJkpgMZFUqB9gH4u5XUOMpIMWatM0pQYH4cBgMKsqRFYCtlfRqWssXHY kLR0iHjiAmdcXeAtAW0MurYZTgvPi5WmiubYzDDakFH0NN8LfASszidWWGOwWlp9 n85zBDOQuC0e8P+Hq95wfmY5ywonbmJzLv7L13Qm1JHclHRm3WVI6Sj7+cBUfuM4 8J7xe1Mu56w4AvBw9KUDQwdNkDYjMwsLCqU549l68RiTsBUjplgX0rmHpaymluCu H1MLRUPI5DHa13GxohD8ZR6SVelm8s3zULmdvIGkRMMW/HWBy5PCDa3gGjXxbcrm k1DFrZBI4hC/A7ID+Ob3AI3eD+c37hG3WKY9Uoaad9c5hZDEJUgV4kdKRKlxoa1D YXpPZyXT7UaaNzjMPv3F2Yd1ylocEo4qt25kPRd1FpXFPQ0xHSJMCQfk3q9460n+ a+TF7YFkB/ym5W+RbncX =xsVu -----END PGP SIGNATURE-----
--- End Message ---
