Bug#963340: buster-pu: package iptables-persistent/1.0.14
On Thu, Jul 02, 2020 at 12:20:20PM +0200, gustavo panizzo wrote:
Would you accept an upload fixing #961589 [2], #963012 [3], changing
the flush mechanism [4] and allowing granular configuration of the save
action [5]?
here is the debdiff for those changes
Quick test shows that works fine, I'll test it more and report back
in a few days
cheers
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
diff -Nru iptables-persistent-1.0.11/debian/changelog iptables-persistent-1.0.11+deb10u1/debian/changelog
--- iptables-persistent-1.0.11/debian/changelog 2019-02-09 05:36:39.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/debian/changelog 2020-07-02 16:26:05.000000000 +0200
@@ -1,3 +1,16 @@
+iptables-persistent (1.0.11+deb10u1) buster; urgency=medium
+
+ * [cdc4a5] Do not load modules.
+ Thanks to Thorsten Glaser <tg@mirbsd.de>
+ (Closes: #963012)
+ * [cdc4a5] Do not call log_action_cont_msg()
+ Thanks to Synthea <genomian@firemail.cc>
+ (Closes: #961589)
+ * [b6e6f9] Backport the logic to flush rules from 1.0.14
+ * [60a86f] Allow granular configuration for the save action
+
+ -- gustavo panizzo <gfa@zumbi.com.ar> Thu, 02 Jul 2020 14:26:05 +0000
+
iptables-persistent (1.0.11) unstable; urgency=medium
* [e491d7] Make iptables-persistent to Pre-Depends on iptables.
diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.default iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default
--- iptables-persistent-1.0.11/debian/netfilter-persistent.default 2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default 2020-07-02 16:26:05.000000000 +0200
@@ -2,3 +2,9 @@
# Plugins may extend this file or have their own
FLUSH_ON_STOP=0
+
+# Set to yes to skip saving rules/sets when netfilter-persistent is called with
+# the save parameter
+# IPTABLES_SKIP_SAVE=yes
+# IP6TABLES_SKIP_SAVE=yes
+# IPSET_SKIP_SAVE=yes
diff -Nru iptables-persistent-1.0.11/plugins/10-ipset iptables-persistent-1.0.11+deb10u1/plugins/10-ipset
--- iptables-persistent-1.0.11/plugins/10-ipset 2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/10-ipset 2020-07-02 16:26:05.000000000 +0200
@@ -17,6 +17,11 @@
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+ . /etc/default/netfilter-persistent
+fi
+
# Create the ipsets and populate them
load_sets ()
{
@@ -31,9 +36,11 @@
# Save current contents of the ipsets to file
save_sets ()
{
- touch /etc/iptables/ipsets
- chmod 0640 /etc/iptables/ipsets
- ipset save > /etc/iptables/ipsets
+ if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then
+ touch /etc/iptables/ipsets
+ chmod 0640 /etc/iptables/ipsets
+ ipset save > /etc/iptables/ipsets
+ fi
}
# flush sets
diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables
--- iptables-persistent-1.0.11/plugins/15-ip4tables 2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables 2020-07-02 16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+ . /etc/default/netfilter-persistent
+fi
+
load_rules()
{
#load IPv4 rules
@@ -26,35 +31,29 @@
save_rules()
{
+ if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
#save IPv4 rules
- #need at least iptable_filter loaded:
- modprobe -b -q iptable_filter || true
- if [ ! -f /proc/net/ip_tables_names ]; then
- echo "Warning: skipping IPv4 (Kernel support is missing)"
- else
- touch /etc/iptables/rules.v4
- chmod 0640 /etc/iptables/rules.v4
- iptables-save > /etc/iptables/rules.v4
- fi
+ touch /etc/iptables/rules.v4
+ chmod 0640 /etc/iptables/rules.v4
+ iptables-save > /etc/iptables/rules.v4
+ fi
}
flush_rules()
{
- if [ ! -f /proc/net/ip_tables_names ]; then
- log_action_cont_msg "Warning: skipping IPv4 (Kernel support is missing)"
- elif [ $(which iptables) ]; then
- for chain in INPUT FORWARD OUTPUT
- do
- iptables -P $chain ACCEPT
- done
- for param in F Z X; do iptables -$param; done
- for table in $(cat /proc/net/ip_tables_names)
- do
- iptables -t $table -F
- iptables -t $table -Z
- iptables -t $table -X
- done
- fi
+ TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+ for table in $TABLES
+ do
+ CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+ for chain in $CHAINS
+ do
+ # policy can't be set on user-defined chains
+ iptables -t $table -P $chain ACCEPT || true
+ done
+ iptables -t $table -F
+ iptables -t $table -Z
+ iptables -t $table -X
+ done
}
case "$1" in
diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables
--- iptables-persistent-1.0.11/plugins/25-ip6tables 2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables 2020-07-02 16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+ . /etc/default/netfilter-persistent
+fi
+
# Exit fast if IPv6 is disabled
test -e /proc/sys/net/ipv6 || exit 0
@@ -29,35 +34,29 @@
save_rules()
{
+ if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
#save IPv6 rules
- #need at least ip6table_filter loaded:
- modprobe -b -q ip6table_filter || true
- if [ ! -f /proc/net/ip6_tables_names ]; then
- log_action_cont_msg "Warning: skipping IPv6 (Kernel support is missing)"
- else
- touch /etc/iptables/rules.v6
- ip6tables-save > /etc/iptables/rules.v6
- chmod 0640 /etc/iptables/rules.v6
- fi
+ touch /etc/iptables/rules.v6
+ ip6tables-save > /etc/iptables/rules.v6
+ chmod 0640 /etc/iptables/rules.v6
+ fi
}
flush_rules()
{
- if [ ! -f /proc/net/ip6_tables_names ]; then
- echo "Warning: skipping IPv6 (Kernel support is missing)"
- elif [ $(which ip6tables) ]; then
- for chain in INPUT FORWARD OUTPUT
- do
- ip6tables -P $chain ACCEPT
- done
- for param in F Z X; do ip6tables -$param; done
- for table in $(cat /proc/net/ip6_tables_names)
- do
- ip6tables -t $table -F
- ip6tables -t $table -Z
- ip6tables -t $table -X
- done
- fi
+ TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+ for table in $TABLES
+ do
+ CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+ for chain in $CHAINS
+ do
+ # policy can't be set on user-defined chains
+ ip6tables -t $table -P $chain ACCEPT || true
+ done
+ ip6tables -t $table -F
+ ip6tables -t $table -Z
+ ip6tables -t $table -X
+ done
}
case "$1" in
Reply to: