Bug#861999: fwsnort: Doesn't remove firewall rules on package purge
Package: fwsnort
Version: 1.6.5-1
Severity: important
Hi,
while working on the recent RC bug in fwsnort (#860164) I noticed that
all the firewall rules created by fwsnort are not removed upon purging
the package.
But since the package does not create them automatically and they're
only created if the program is actually used as intented, I think it's
less severe than e.g. piuparts reporting leftover files after purge.
On a first glance, simply calling "fwsnort --ipt-revert" in prerm
suffices, but then again, /usr/sbin/fwsnort might be no more there, if
the package was already removed, but not purged. Luckily, when looking
what this option actually does, I noticed that it boils down to the very
simple oneliner:
grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
So I'll add this to the postrm script before deleting the fwsnort.save
file, calling it only if that file exists.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), (111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), (105, 'experimental-debug')
Architecture: amd64
(x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fwsnort depends on:
ii debconf [debconf-2.0] 1.5.60
ii iptables 1.6.0+snapshot20161117-6
ii libiptables-parse-perl 1.6-1
ii libnet-rawip-perl 0.25-2+b3
ii libnetaddr-ip-perl 4.079+dfsg-1+b1
pn perl:any <none>
Versions of packages fwsnort recommends:
pn snort-rules-default <none>
fwsnort suggests no packages.
-- debconf information:
* fwsnort/download: true
Reply to: