[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#963340: buster-pu: package iptables-persistent/1.0.14

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team

I'd like to fix the bugs #961589 and #963012 in Buster uploading
iptables-persistent 1.0.14 which is already in testing and backports.

The updated package has been part of backports since Oct 2019 without
report of problems, I personally use it on all systems I administer
without problems.

Besides fixing this 2 bugs this version changes the way iptables rules
are flush (to be better IMHO), allows to toggle the rule saving for
individual components (iptables, ip6tables and ipset) without changing
the defaults and setups the iptables, ip6tables and ipset services in
systemd using alternatives (See #926927)

I've attached a debdiff to this report

thanks!

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru iptables-persistent-1.0.11/debian/changelog iptables-persistent-1.0.14+deb10u1/debian/changelog
--- iptables-persistent-1.0.11/debian/changelog	2019-02-09 05:36:39.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/changelog	2020-06-21 21:12:04.000000000 +0200
@@ -1,3 +1,39 @@
+iptables-persistent (1.0.14+deb10u1) buster; urgency=medium
+
+  * Rebuild for buster-updates.
+
+ -- gustavo panizzo <gfa@zumbi.com.ar>  Sun, 21 Jun 2020 19:12:04 +0000
+
+iptables-persistent (1.0.14) unstable; urgency=medium
+
+  * [401a9f] No longer load modules.
+    Thanks to Jérémie LEGRAND (Closes: 932196)
+  * [933938] Implement a new logic to flush firewall rules
+  * [824486] Add variable Pre-Depends as required by init-system-helpers and debhelper 12
+  * [3ed371] Run wrap-and-sort
+
+ -- gustavo panizzo <gfa@zumbi.com.ar>  Fri, 13 Sep 2019 19:16:28 +0200
+
+iptables-persistent (1.0.13) unstable; urgency=medium
+
+  * Upload to unstable
+  * [30244a] Standards version 4.4.0 (no changes)
+  * [242e35] Provide the virtual systemd units iptables.service and
+    ipset.service.
+    Thanks to Laurent Bigonville for the bug report (Closes: #926927)
+  * [3a751c] Remove Jonathan Wiltshire as Maintainer and add myself
+  * [7303da] Add Documentation to the systemd unit
+  * [320e48] Use debhelper 12
+
+ -- gustavo panizzo <gfa@zumbi.com.ar>  Mon, 26 Aug 2019 21:27:58 +0200
+
+iptables-persistent (1.0.12) experimental; urgency=medium
+
+  * [3ca86e] Use white space and tabs consistently
+  * [d5726c] Allow granular configuration for the save action
+
+ -- gustavo panizzo <gfa@zumbi.com.ar>  Wed, 27 Mar 2019 14:34:28 +0800
+
 iptables-persistent (1.0.11) unstable; urgency=medium
 
   * [e491d7] Make iptables-persistent to Pre-Depends on iptables.
diff -Nru iptables-persistent-1.0.11/debian/compat iptables-persistent-1.0.14+deb10u1/debian/compat
--- iptables-persistent-1.0.11/debian/compat	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/compat	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-11
diff -Nru iptables-persistent-1.0.11/debian/control iptables-persistent-1.0.14+deb10u1/debian/control
--- iptables-persistent-1.0.11/debian/control	2019-02-09 05:28:03.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/control	2020-06-21 21:12:04.000000000 +0200
@@ -1,10 +1,9 @@
 Source: iptables-persistent
 Section: admin
 Priority: optional
-Maintainer: Jonathan Wiltshire <jmw@debian.org>
-Uploaders: gustavo panizzo <gfa@zumbi.com.ar>
-Build-Depends: debhelper (>= 11.0.0), po-debconf
-Standards-Version: 4.3.0
+Maintainer: gustavo panizzo <gfa@zumbi.com.ar>
+Standards-Version: 4.4.0
+Build-Depends: debhelper-compat (= 12), dh-exec, po-debconf
 Vcs-Browser: https://salsa.debian.org/debian/iptables-persistent.git
 Vcs-Git: https://salsa.debian.org/debian/iptables-persistent.git
 
@@ -14,6 +13,7 @@
 Breaks: iptables-persistent (<< 1~)
 Replaces: iptables-persistent (<< 1~)
 Suggests: iptables-persistent
+Pre-Depends: ${misc:Pre-Depends}
 Description: boot-time loader for netfilter configuration
  This package provides a loader for netfilter configuration using a
  plugin-based architecture. It can load, flush and save a running
@@ -23,7 +23,7 @@
 Package: iptables-persistent
 Architecture: all
 Depends: netfilter-persistent (= ${source:Version}), ${misc:Depends}
-Pre-Depends: iptables
+Pre-Depends: iptables, ${misc:Pre-Depends}
 Description: boot-time loader for netfilter rules, iptables plugin
  netfilter-persistent is a loader for netfilter configuration using a
  plugin-based architecture.
@@ -32,6 +32,7 @@
 
 Package: ipset-persistent
 Architecture: all
+Pre-Depends: ${misc:Pre-Depends}
 Depends: ipset, netfilter-persistent (= ${source:Version}), ${misc:Depends}
 Description: boot-time loader for netfilter rules, ipset plugin
  netfilter-persistent is a loader for netfilter configuration using a
diff -Nru iptables-persistent-1.0.11/debian/ipset.override iptables-persistent-1.0.14+deb10u1/debian/ipset.override
--- iptables-persistent-1.0.11/debian/ipset.override	1970-01-01 01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset.override	2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,2 @@
+[Unit]
+Conflicts=ipset.service
diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.install iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.install
--- iptables-persistent-1.0.11/debian/ipset-persistent.install	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.install	2020-06-21 21:12:04.000000000 +0200
@@ -1,2 +1,4 @@
-plugins/10-ipset        usr/share/netfilter-persistent/plugins.d/
-plugins/40-ipset        usr/share/netfilter-persistent/plugins.d/
+#! /usr/bin/dh-exec
+plugins/10-ipset         usr/share/netfilter-persistent/plugins.d/
+plugins/40-ipset         usr/share/netfilter-persistent/plugins.d/
+debian/ipset.override => etc/systemd/system/netfilter-persistent.service.d/ipset.conf
diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.postinst iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.postinst
--- iptables-persistent-1.0.11/debian/ipset-persistent.postinst	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.postinst	2020-06-21 21:12:04.000000000 +0200
@@ -2,6 +2,9 @@
 
 set -e
 
+# Setup alternatives
+update-alternatives --install /lib/systemd/system/ipset.service ipset.service /lib/systemd/system/netfilter-persistent.service 40
+
 # Source debconf library
 . /usr/share/debconf/confmodule
 
diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.prerm iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm
--- iptables-persistent-1.0.11/debian/ipset-persistent.prerm	1970-01-01 01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm	2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Remove alternatives
+update-alternatives --remove-all ipset.service
+
+#DEBHELPER#
diff -Nru iptables-persistent-1.0.11/debian/iptables.override iptables-persistent-1.0.14+deb10u1/debian/iptables.override
--- iptables-persistent-1.0.11/debian/iptables.override	1970-01-01 01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/iptables.override	2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,2 @@
+[Unit]
+Conflicts=iptables.service ip6tables.service
diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.install iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.install
--- iptables-persistent-1.0.11/debian/iptables-persistent.install	2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.install	2020-06-21 21:12:04.000000000 +0200
@@ -1,2 +1,4 @@
-plugins/15-ip4tables    usr/share/netfilter-persistent/plugins.d/
-plugins/25-ip6tables    usr/share/netfilter-persistent/plugins.d/
+#! /usr/bin/dh-exec
+plugins/15-ip4tables        usr/share/netfilter-persistent/plugins.d/
+plugins/25-ip6tables        usr/share/netfilter-persistent/plugins.d/
+debian/iptables.override => etc/systemd/system/netfilter-persistent.service.d/iptables.conf
diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.postinst iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.postinst
--- iptables-persistent-1.0.11/debian/iptables-persistent.postinst	2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.postinst	2020-06-21 21:12:04.000000000 +0200
@@ -2,6 +2,10 @@
 
 set -e
 
+# Setup alternatives
+update-alternatives --install /lib/systemd/system/iptables.service iptables.service /lib/systemd/system/netfilter-persistent.service 40 \
+    --slave /lib/systemd/system/ip6tables.service ip6tables.service /lib/systemd/system/netfilter-persistent.service
+
 # Source debconf library
 . /usr/share/debconf/confmodule
 
diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.prerm iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.prerm
--- iptables-persistent-1.0.11/debian/iptables-persistent.prerm	1970-01-01 01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.prerm	2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Setup alternatives
+update-alternatives --remove-all iptables.service
+
+#DEBHELPER#
diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.default iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.default
--- iptables-persistent-1.0.11/debian/netfilter-persistent.default	2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.default	2020-06-21 21:12:04.000000000 +0200
@@ -2,3 +2,9 @@
 # Plugins may extend this file or have their own
 
 FLUSH_ON_STOP=0
+
+# Set to yes to skip saving rules/sets when netfilter-persistent is called with
+# the save parameter
+# IPTABLES_SKIP_SAVE=yes
+# IP6TABLES_SKIP_SAVE=yes
+# IPSET_SKIP_SAVE=yes
diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.install iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.install
--- iptables-persistent-1.0.11/debian/netfilter-persistent.install	2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.install	2020-06-21 21:12:04.000000000 +0200
@@ -1,2 +1,2 @@
-usr
 lib
+usr
diff -Nru iptables-persistent-1.0.11/netfilter-persistent iptables-persistent-1.0.14+deb10u1/netfilter-persistent
--- iptables-persistent-1.0.11/netfilter-persistent	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/netfilter-persistent	2020-06-21 21:12:04.000000000 +0200
@@ -2,7 +2,7 @@
 
 # This file is part of netfilter-persistent
 # Copyright (C) 2014 Jonathan Wiltshire
-# 
+#
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation, either version 3
diff -Nru iptables-persistent-1.0.11/plugins/10-ipset iptables-persistent-1.0.14+deb10u1/plugins/10-ipset
--- iptables-persistent-1.0.11/plugins/10-ipset	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/plugins/10-ipset	2020-06-21 21:12:04.000000000 +0200
@@ -17,23 +17,30 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Create the ipsets and populate them
 load_sets ()
 {
-	#load ipset rules
-	if [ ! -f /etc/iptables/ipsets ]; then
-		echo "Warning: skipping IPv4 (no rules to load)"
-	else
-		ipset restore -exist < /etc/iptables/ipsets
-	fi
+    #load ipset rules
+    if [ ! -f /etc/iptables/ipsets ]; then
+        echo "Warning: skipping IPv4 (no rules to load)"
+    else
+        ipset restore -exist < /etc/iptables/ipsets
+    fi
 }
 
 # Save current contents of the ipsets to file
 save_sets ()
 {
-		touch /etc/iptables/ipsets
-		chmod 0640 /etc/iptables/ipsets
-		ipset save > /etc/iptables/ipsets
+    if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/ipsets
+        chmod 0640 /etc/iptables/ipsets
+        ipset save > /etc/iptables/ipsets
+    fi
 }
 
 # flush sets
@@ -45,19 +52,19 @@
 
 case "$1" in
 start|restart|reload|force-reload)
-	load_sets
-	;;
+    load_sets
+    ;;
 save)
-	save_sets
-	;;
+    save_sets
+    ;;
 stop)
-        # While it makes sense to stop (delete) ipsets we keep the same
-        # semanthics as ip(6)?tables rules
-	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
-	;;
+    # While it makes sense to stop (delete) ipsets we keep the same
+    # semanthics as ip(6)?tables rules
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
 flush)
-	flush_sets
-	;;
+    flush_sets
+    ;;
 *)
     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
     exit 1
diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables iptables-persistent-1.0.14+deb10u1/plugins/15-ip4tables
--- iptables-persistent-1.0.11/plugins/15-ip4tables	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/plugins/15-ip4tables	2020-06-21 21:12:04.000000000 +0200
@@ -14,65 +14,63 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 load_rules()
 {
-	#load IPv4 rules
-	if [ ! -f /etc/iptables/rules.v4 ]; then
-		echo "Warning: skipping IPv4 (no rules to load)"
-	else
-		iptables-restore < /etc/iptables/rules.v4
-	fi
+    #load IPv4 rules
+    if [ ! -f /etc/iptables/rules.v4 ]; then
+        echo "Warning: skipping IPv4 (no rules to load)"
+    else
+        iptables-restore < /etc/iptables/rules.v4
+    fi
 }
 
 save_rules()
 {
-	#save IPv4 rules
-	#need at least iptable_filter loaded:
-	modprobe -b -q iptable_filter || true
-	if [ ! -f /proc/net/ip_tables_names ]; then
-		echo "Warning: skipping IPv4 (Kernel support is missing)"
-        else
-		touch /etc/iptables/rules.v4
-		chmod 0640 /etc/iptables/rules.v4
-		iptables-save > /etc/iptables/rules.v4
-	fi
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/rules.v4
+        chmod 0640 /etc/iptables/rules.v4
+        iptables-save > /etc/iptables/rules.v4
+    fi
 }
 
 flush_rules()
 {
-	if [ ! -f /proc/net/ip_tables_names ]; then
-		log_action_cont_msg "Warning: skipping IPv4 (Kernel support is missing)"
-        elif [ $(which iptables) ]; then
-		for chain in INPUT FORWARD OUTPUT
-		do
-			iptables -P $chain ACCEPT
-		done
-		for param in F Z X; do iptables -$param; done
-		for table in $(cat /proc/net/ip_tables_names)
-		do
-			iptables -t $table -F
-			iptables -t $table -Z
-			iptables -t $table -X
-		done
-	fi
+    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            iptables -t $table -P $chain ACCEPT || true
+        done
+        iptables -t $table -F
+        iptables -t $table -Z
+        iptables -t $table -X
+    done
 }
 
 case "$1" in
 start|restart|reload|force-reload)
-	load_rules
-	;;
+    load_rules
+    ;;
 save)
-	save_rules
-	;;
+    save_rules
+    ;;
 stop)
-	# Why? because if stop is used, the firewall gets flushed for a variable
-	# amount of time during package upgrades, leaving the machine vulnerable
-	# It's also not always desirable to flush during purge
-	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
-	;;
+    # Why? because if stop is used, the firewall gets flushed for a variable
+    # amount of time during package upgrades, leaving the machine vulnerable
+    # It's also not always desirable to flush during purge
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
 flush)
-	flush_rules
-	;;
+    flush_rules
+    ;;
 *)
     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
     exit 1
diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables iptables-persistent-1.0.14+deb10u1/plugins/25-ip6tables
--- iptables-persistent-1.0.11/plugins/25-ip6tables	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/plugins/25-ip6tables	2020-06-21 21:12:04.000000000 +0200
@@ -19,63 +19,56 @@
 
 load_rules()
 {
-	#load IPv6 rules
-	if [ ! -f /etc/iptables/rules.v6 ]; then
-		echo "Warning: skipping IPv6 (no rules to load)"
-	else
-		ip6tables-restore < /etc/iptables/rules.v6
-	fi
+    #load IPv6 rules
+    if [ ! -f /etc/iptables/rules.v6 ]; then
+        echo "Warning: skipping IPv6 (no rules to load)"
+    else
+        ip6tables-restore < /etc/iptables/rules.v6
+    fi
 }
 
 save_rules()
 {
-	#save IPv6 rules
-	#need at least ip6table_filter loaded:
-	modprobe -b -q ip6table_filter || true
-	if [ ! -f /proc/net/ip6_tables_names ]; then
-		log_action_cont_msg "Warning: skipping IPv6 (Kernel support is missing)"
-	else
-		touch /etc/iptables/rules.v6
-		ip6tables-save > /etc/iptables/rules.v6
-		chmod 0640 /etc/iptables/rules.v6
-	fi
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/rules.v6
+        ip6tables-save > /etc/iptables/rules.v6
+        chmod 0640 /etc/iptables/rules.v6
+    fi
 }
 
 flush_rules()
 {
-	if [ ! -f /proc/net/ip6_tables_names ]; then
-		echo "Warning: skipping IPv6 (Kernel support is missing)"
-        elif [ $(which ip6tables) ]; then
-		for chain in INPUT FORWARD OUTPUT
-		do
-			ip6tables -P $chain ACCEPT
-		done
-		for param in F Z X; do ip6tables -$param; done
-		for table in $(cat /proc/net/ip6_tables_names)
-		do
-			ip6tables -t $table -F
-			ip6tables -t $table -Z
-			ip6tables -t $table -X
-		done
-	fi
+    TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            ip6tables -t $table -P $chain ACCEPT || true
+        done
+        ip6tables -t $table -F
+        ip6tables -t $table -Z
+        ip6tables -t $table -X
+    done
 }
 
 case "$1" in
 start|restart|reload|force-reload)
-	load_rules
-	;;
+    load_rules
+    ;;
 save)
-	save_rules
-	;;
+    save_rules
+    ;;
 stop)
-	# Why? because if stop is used, the firewall gets flushed for a variable
-	# amount of time during package upgrades, leaving the machine vulnerable
-	# It's also not always desirable to flush during purge
-	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
-	;;
+    # Why? because if stop is used, the firewall gets flushed for a variable
+    # amount of time during package upgrades, leaving the machine vulnerable
+    # It's also not always desirable to flush during purge
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
 flush)
-	flush_rules
-	;;
+    flush_rules
+    ;;
 *)
     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
     exit 1
diff -Nru iptables-persistent-1.0.11/plugins/40-ipset iptables-persistent-1.0.14+deb10u1/plugins/40-ipset
--- iptables-persistent-1.0.11/plugins/40-ipset	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/plugins/40-ipset	2020-06-21 21:12:04.000000000 +0200
@@ -16,6 +16,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Create the ipsets and populate them
 load_sets ()
 {
@@ -37,19 +42,19 @@
 
 case "$1" in
 start|restart|reload|force-reload)
-	load_sets
-	;;
+    load_sets
+    ;;
 save)
-	save_sets
-	;;
+    save_sets
+    ;;
 stop)
-        # While it makes sense to stop (delete) ipsets we keep the same
-        # semanthics as ip(6)?tables rules
-	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
-	;;
+    # While it makes sense to stop (delete) ipsets we keep the same
+    # semanthics as ip(6)?tables rules
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
 flush)
-	flush_sets
-	;;
+    flush_sets
+    ;;
 *)
     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
     exit 1
diff -Nru iptables-persistent-1.0.11/systemd/netfilter-persistent.service iptables-persistent-1.0.14+deb10u1/systemd/netfilter-persistent.service
--- iptables-persistent-1.0.11/systemd/netfilter-persistent.service	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/systemd/netfilter-persistent.service	2020-06-21 21:12:04.000000000 +0200
@@ -5,6 +5,7 @@
 Before=network-pre.target shutdown.target
 After=systemd-modules-load.service local-fs.target
 Conflicts=shutdown.target
+Documentation=man:netfilter-persistent(8)
 
 [Service]
 Type=oneshot
Reply to: