Bug#963340: buster-pu: package iptables-persistent/1.0.14

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 963340@bugs.debian.org
Subject: Bug#963340: buster-pu: package iptables-persistent/1.0.14
From: gustavo panizzo <gfa@debian.org>
Date: Thu, 2 Jul 2020 12:20:20 +0200
Message-id: <[🔎] 20200702102020.wpoedtztlmkrsa5e@zumbi.com.ar>
Reply-to: gustavo panizzo <gfa@debian.org>, 963340@bugs.debian.org
In-reply-to: <6281930c41f2fbd2a6f1cd561576654234ddac0b.camel@adam-barratt.org.uk>
References: <159277076634.23090.3266518518187976456.reportbug@enceladus> <6281930c41f2fbd2a6f1cd561576654234ddac0b.camel@adam-barratt.org.uk> <159277076634.23090.3266518518187976456.reportbug@enceladus>

Hi

On Tue, Jun 30, 2020 at 05:22:50PM +0100, Adam D. Barratt wrote:

Control: tags -1 + moreinfo

On Sun, 2020-06-21 at 22:19 +0200, gustavo panizzo wrote:

I'd like to fix the bugs #961589 and #963012 in Buster uploading


That sounds like it would probably be OK, however:

iptables-persistent 1.0.14 which is already in testing and backports.


I'm not sold on this as a solution currently.

The updated package has been part of backports since Oct 2019 without
report of problems, I personally use it on all systems I administer
without problems.


Unfortunately, while useful input as to the stability of the changes,
none of that directly makes it suitable for a stable update.

Besides fixing this 2 bugs this version changes the way iptables
rules are flush (to be better IMHO),allows to toggle the rule saving
for individual components (iptables, ip6tables and ipset) without
changing the defaults and setups the iptables, ip6tables and ipset
services in systemd using alternatives (See #926927)


What actual issues are these fixing for users of the current package in
stable? "Better" isn't very descriptive. :)


There are no reported bugs against the old mechanism in used to flush rules

However the old mechanism only sets the policy (to ACCEPT) in INPUT, OUTPUT and
FORWARD chains in the filter (default) table [1]
Policy on other tables are left intact, but rules are flushed

The result of this is that the flush mechanism doesn't flush all rules when

iptables-nft are in use and potentially locks down the machine wheniptables-legacy is in use


(tests executed on a clean, disposable machines)

iptables-persistent 1.0.11, iptables-nft
```
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables --version
iptables v1.8.2 (nf_tables)
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -A OUTPUT -j ACCEPT
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -P OUTPUT DROP
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables flush
Warning: skipping IPv6 (Kernel support is missing)

root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
  37  4588 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
```

iptables-persistent 1.0.11, iptables-legacy
```
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables --version
iptables v1.8.2 (legacy)
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -A OUTPUT -j ACCEPT
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -P OUTPUT DROP
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables flush
Timeout, server localhost not responding.
```

iptables-persistent 1.0.14, iptables-nft
```
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables --version
iptables v1.8.2 (nf_tables)
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -A OUTPUT -j ACCEPT
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -P OUTPUT DROP
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables flush

root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 16 packets, 964 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 9 packets, 1012 bytes)
pkts bytes target     prot opt in     out     source               destination
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~#
```

iptables-persistent 1.0.14, iptables-legacy
```
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables --version
iptables v1.8.2 (legacy)
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -A OUTPUT -j ACCEPT
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -P OUTPUT DROP
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables flush
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 18 packets, 1064 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 10 packets, 1168 bytes)
pkts bytes target     prot opt in     out     source               destination
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~#
```

From looking over the diff:

1) the whitespace unification makes it quite hard to find some of the
real changes

ACK

2) debhelper compat changes and the dh-exec migration aren't really
"minimal changes required to resolve the issue", and generally wouldn't
be appropriate for a change in stable

ACK

3) Does this hunk:

--- iptables-persistent-1.0.11/debian/ipset-persistent.prerm    1970-01-01 01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm    2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Remove alternatives
+update-alternatives --remove-all ipset.service

Do exactly what it suggests and remove any alternative using that name,
whether or not it was installed by this package? Again, how does this
benefit users of the package in stable, given that nothing else is
providing or using the alternatives?


It does not benefit them (I don't think it harms them either unless they
have a local alternative setup; then I got your point)

As a side note:

+  * Rebuild for buster-updates.

Even if this gets to proposed-updates, and subsequently buster, buster-
updates is an additional suite that this request definitely does need
meet the requirements for.

ACK


Would you accept an upload fixing #961589 [2], #963012 [3], changing
the flush mechanism [4] and allowing granular configuration of the save
action [5]?

thanks!

Regards,

Adam



[1] - https://salsa.debian.org/debian/iptables-persistent/-/blob/debian/1.0.11/plugins/15-ip4tables#L46
[2] - https://salsa.debian.org/debian/iptables-persistent/-/commit/401a9f1e003a6077805eec1902f9dd394ffebd34
[3] - calls to log_action_cont_msg() where removed in the same commit as above
[4] - https://salsa.debian.org/debian/iptables-persistent/-/commit/9339383b737cbba3c030c90d4ab796c20141b44c
[5] - https://salsa.debian.org/debian/iptables-persistent/-/commit/d5726cd710514185f09d698f458cff773ea8e32a

--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333

Reply to:

Follow-Ups:
- Bug#963340: buster-pu: package iptables-persistent/1.0.14
  - From: gustavo panizzo <gfa@debian.org>

Prev by Date: Bug#947351: buster-pu: package cloud-init/20.2-2+deb10u1
Next by Date: Bug#964146: buster-pu: package mutt/1.10.1-2.1+deb10u3
Previous by thread: Bug#963614: stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1
Next by thread: Bug#963340: buster-pu: package iptables-persistent/1.0.14
Index(es):
- Date
- Thread