Bug#863087: unblock: fwsnort/1.6.5-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
In case you consider https://bugs.debian.org/862485 ("fwsnort mustn't
set iptables rules when purged") as RC (as the reporter does and I
don't), please unblock fwsnort/1.6.5-4.
In case you don't consider this RC and don't want to unblock fwsnort,
please downgrade #862485 again accordingly.
full debdiff:
diff -Nru fwsnort-1.6.5/debian/changelog fwsnort-1.6.5/debian/changelog
--- fwsnort-1.6.5/debian/changelog 2017-05-07 11:47:15.000000000 +0200
+++ fwsnort-1.6.5/debian/changelog 2017-05-14 22:57:20.000000000 +0200
@@ -1,3 +1,13 @@
+fwsnort (1.6.5-4) unstable; urgency=medium
+
+ * QA upload.
+ * Flush all fwsnort firewall rules during prerm at package removal time
+ instead of restoring the firewall state from before "fwsnort
+ --ipt-apply" was called the last time at package purging time.
+ (Closes: #862485)
+
+ -- Axel Beckert <abe@debian.org> Sun, 14 May 2017 22:57:20 +0200
+
fwsnort (1.6.5-3) unstable; urgency=medium
* QA upload.
diff -Nru fwsnort-1.6.5/debian/fwsnort.postrm fwsnort-1.6.5/debian/fwsnort.postrm
--- fwsnort-1.6.5/debian/fwsnort.postrm 2017-05-07 11:43:40.000000000 +0200
+++ fwsnort-1.6.5/debian/fwsnort.postrm 2017-05-14 21:05:27.000000000 +0200
@@ -5,12 +5,6 @@
# In case the user wants to purge the fwsnort package, we must manually remove
# some files.
if [ "$1" = "purge" ]; then
- # Remove all fwsnort generated firewall rules
- if [ -f /var/lib/fwsnort/fwsnort.save ]; then
- echo "[+] Reverting to original iptables policy..."
- grep -Fv FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
- fi
-
# Remove old log files (default directory)
if [ -d /var/log/fwsnort ]; then
find /var/log/fwsnort/ -type f -exec rm {} \;
diff -Nru fwsnort-1.6.5/debian/fwsnort.prerm fwsnort-1.6.5/debian/fwsnort.prerm
--- fwsnort-1.6.5/debian/fwsnort.prerm 1970-01-01 01:00:00.000000000 +0100
+++ fwsnort-1.6.5/debian/fwsnort.prerm 2017-05-14 22:34:17.000000000 +0200
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "remove" ]; then
+ FWSNORT_CHAINS=$(iptables -L -n | fgrep 'Chain FWSNORT' | awk '{print $2}')
+ if [ -n "${FWSNORT_CHAINS}" ]; then
+ # Remove all fwsnort generated firewall rules
+ fwsnort --ipt-flush
+
+ # --ipt-flush doesn't remove the additional chains of fwsnort, but
+ # --ipt-revert is not recommended for cleaning up according to
+ # the man page. So do that manually. *sigh*
+
+ # Remove all potential leftover references in other chains
+ iptables -D INPUT ! -i lo -j FWSNORT_INPUT || true
+ iptables -D FORWARD ! -i lo -j FWSNORT_FORWARD || true
+ iptables -D OUTPUT ! -o lo -j FWSNORT_OUTPUT || true
+
+ # Remove remaining chains
+ for fwsnort_chain in ${FWSNORT_CHAINS} ; do
+ iptables -X "${fwsnort_chain}"
+ done
+ fi
+fi
+#DEBHELPER#
+
+exit 0
unblock fwsnort/1.6.5-4
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), (111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), (105, 'experimental-debug')
Architecture: amd64
(x86_64)
Kernel: Linux 4.11.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: