Bug#863087: marked as done (unblock: fwsnort/1.6.5-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 22 May 2017 05:54:00 +0000
with message-id <164333d7-332b-fac9-a7bb-da5ffcb0c726@thykier.net>
and subject line Re: Bug#863087: unblock: fwsnort/1.6.5-4
has caused the Debian Bug report #863087,
regarding unblock: fwsnort/1.6.5-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863087
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: fwsnort/1.6.5-4
• From: Axel Beckert <abe@debian.org>
• Date: Sun, 21 May 2017 17:57:49 +0200
• Message-id: <[🔎] 149538226905.7289.13008588617248120523.reportbug@c-cactus2>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

In case you consider https://bugs.debian.org/862485 ("fwsnort mustn't
set iptables rules when purged") as RC (as the reporter does and I
don't), please unblock fwsnort/1.6.5-4.

In case you don't consider this RC and don't want to unblock fwsnort,
please downgrade #862485 again accordingly.

full debdiff:

diff -Nru fwsnort-1.6.5/debian/changelog fwsnort-1.6.5/debian/changelog
--- fwsnort-1.6.5/debian/changelog	2017-05-07 11:47:15.000000000 +0200
+++ fwsnort-1.6.5/debian/changelog	2017-05-14 22:57:20.000000000 +0200
@@ -1,3 +1,13 @@
+fwsnort (1.6.5-4) unstable; urgency=medium
+
+  * QA upload.
+  * Flush all fwsnort firewall rules during prerm at package removal time
+    instead of restoring the firewall state from before "fwsnort
+    --ipt-apply" was called the last time at package purging time.
+    (Closes: #862485)
+
+ -- Axel Beckert <abe@debian.org>  Sun, 14 May 2017 22:57:20 +0200
+
 fwsnort (1.6.5-3) unstable; urgency=medium
 
   * QA upload.
diff -Nru fwsnort-1.6.5/debian/fwsnort.postrm fwsnort-1.6.5/debian/fwsnort.postrm
--- fwsnort-1.6.5/debian/fwsnort.postrm	2017-05-07 11:43:40.000000000 +0200
+++ fwsnort-1.6.5/debian/fwsnort.postrm	2017-05-14 21:05:27.000000000 +0200
@@ -5,12 +5,6 @@
 # In case the user wants to purge the fwsnort package, we must manually remove
 # some files.
 if [ "$1"  = "purge" ]; then
-	# Remove all fwsnort generated firewall rules
-	if [ -f  /var/lib/fwsnort/fwsnort.save ]; then
-	    echo "[+] Reverting to original iptables policy..."
-	    grep -Fv FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
-	fi
-
 	# Remove old log files (default directory)
 	if [ -d /var/log/fwsnort ]; then
 		find /var/log/fwsnort/ -type f -exec rm {} \;
diff -Nru fwsnort-1.6.5/debian/fwsnort.prerm fwsnort-1.6.5/debian/fwsnort.prerm
--- fwsnort-1.6.5/debian/fwsnort.prerm	1970-01-01 01:00:00.000000000 +0100
+++ fwsnort-1.6.5/debian/fwsnort.prerm	2017-05-14 22:34:17.000000000 +0200
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1"  = "remove" ]; then
+    FWSNORT_CHAINS=$(iptables -L -n | fgrep 'Chain FWSNORT' | awk '{print $2}')
+    if [ -n "${FWSNORT_CHAINS}" ]; then
+        # Remove all fwsnort generated firewall rules
+        fwsnort --ipt-flush
+
+        # --ipt-flush doesn't remove the additional chains of fwsnort, but
+        # --ipt-revert is not recommended for cleaning up according to
+        # the man page. So do that manually. *sigh*
+
+        # Remove all potential leftover references in other chains
+        iptables -D INPUT   ! -i lo -j FWSNORT_INPUT   || true
+        iptables -D FORWARD ! -i lo -j FWSNORT_FORWARD || true
+        iptables -D OUTPUT  ! -o lo -j FWSNORT_OUTPUT  || true
+
+        # Remove remaining chains
+        for fwsnort_chain in ${FWSNORT_CHAINS} ; do
+            iptables -X "${fwsnort_chain}"
+        done
+    fi
+fi
+#DEBHELPER#
+
+exit 0

unblock fwsnort/1.6.5-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), (111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), (105, 'experimental-debug')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.11.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: Axel Beckert <abe@debian.org>, 863087-done@bugs.debian.org
• Subject: Re: Bug#863087: unblock: fwsnort/1.6.5-4
• From: Niels Thykier <niels@thykier.net>
• Date: Mon, 22 May 2017 05:54:00 +0000
• Message-id: <164333d7-332b-fac9-a7bb-da5ffcb0c726@thykier.net>
• In-reply-to: <[🔎] 149538226905.7289.13008588617248120523.reportbug@c-cactus2>
• References: <[🔎] 149538226905.7289.13008588617248120523.reportbug@c-cactus2>

Axel Beckert:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> In case you consider https://bugs.debian.org/862485 ("fwsnort mustn't
> set iptables rules when purged") as RC (as the reporter does and I
> don't), please unblock fwsnort/1.6.5-4.
> 
> In case you don't consider this RC and don't want to unblock fwsnort,
> please downgrade #862485 again accordingly.
> 
> full debdiff:
> 
> [...]
> 
> unblock fwsnort/1.6.5-4
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---