[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#963340: buster-pu: package iptables-persistent/1.0.14

On Thu, Jul 02, 2020 at 12:20:20PM +0200, gustavo panizzo wrote:


Would you accept an upload fixing #961589 [2], #963012 [3], changing
the flush mechanism [4] and allowing granular configuration of the save
action [5]?


here is the debdiff for those changes


Quick test shows that works fine, I'll test it more and report back
in a few days

cheers

--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333

diff -Nru iptables-persistent-1.0.11/debian/changelog iptables-persistent-1.0.11+deb10u1/debian/changelog
--- iptables-persistent-1.0.11/debian/changelog	2019-02-09 05:36:39.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/debian/changelog	2020-07-02 16:26:05.000000000 +0200
@@ -1,3 +1,16 @@
+iptables-persistent (1.0.11+deb10u1) buster; urgency=medium
+
+  * [cdc4a5] Do not load modules.
+    Thanks to Thorsten Glaser <tg@mirbsd.de>
+    (Closes: #963012)
+  * [cdc4a5] Do not call log_action_cont_msg()
+    Thanks to Synthea <genomian@firemail.cc>
+    (Closes: #961589)
+  * [b6e6f9] Backport the logic to flush rules from 1.0.14
+  * [60a86f] Allow granular configuration for the save action
+
+ -- gustavo panizzo <gfa@zumbi.com.ar>  Thu, 02 Jul 2020 14:26:05 +0000
+
 iptables-persistent (1.0.11) unstable; urgency=medium
 
   * [e491d7] Make iptables-persistent to Pre-Depends on iptables.
diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.default iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default
--- iptables-persistent-1.0.11/debian/netfilter-persistent.default	2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default	2020-07-02 16:26:05.000000000 +0200
@@ -2,3 +2,9 @@
 # Plugins may extend this file or have their own
 
 FLUSH_ON_STOP=0
+
+# Set to yes to skip saving rules/sets when netfilter-persistent is called with
+# the save parameter
+# IPTABLES_SKIP_SAVE=yes
+# IP6TABLES_SKIP_SAVE=yes
+# IPSET_SKIP_SAVE=yes
diff -Nru iptables-persistent-1.0.11/plugins/10-ipset iptables-persistent-1.0.11+deb10u1/plugins/10-ipset
--- iptables-persistent-1.0.11/plugins/10-ipset	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/10-ipset	2020-07-02 16:26:05.000000000 +0200
@@ -17,6 +17,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Create the ipsets and populate them
 load_sets ()
 {
@@ -31,9 +36,11 @@
 # Save current contents of the ipsets to file
 save_sets ()
 {
-		touch /etc/iptables/ipsets
-		chmod 0640 /etc/iptables/ipsets
-		ipset save > /etc/iptables/ipsets
+    if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then
+	touch /etc/iptables/ipsets
+	chmod 0640 /etc/iptables/ipsets
+	ipset save > /etc/iptables/ipsets
+    fi
 }
 
 # flush sets
diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables
--- iptables-persistent-1.0.11/plugins/15-ip4tables	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables	2020-07-02 16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 load_rules()
 {
 	#load IPv4 rules
@@ -26,35 +31,29 @@
 
 save_rules()
 {
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
 	#save IPv4 rules
-	#need at least iptable_filter loaded:
-	modprobe -b -q iptable_filter || true
-	if [ ! -f /proc/net/ip_tables_names ]; then
-		echo "Warning: skipping IPv4 (Kernel support is missing)"
-        else
-		touch /etc/iptables/rules.v4
-		chmod 0640 /etc/iptables/rules.v4
-		iptables-save > /etc/iptables/rules.v4
-	fi
+	touch /etc/iptables/rules.v4
+	chmod 0640 /etc/iptables/rules.v4
+	iptables-save > /etc/iptables/rules.v4
+    fi
 }
 
 flush_rules()
 {
-	if [ ! -f /proc/net/ip_tables_names ]; then
-		log_action_cont_msg "Warning: skipping IPv4 (Kernel support is missing)"
-        elif [ $(which iptables) ]; then
-		for chain in INPUT FORWARD OUTPUT
-		do
-			iptables -P $chain ACCEPT
-		done
-		for param in F Z X; do iptables -$param; done
-		for table in $(cat /proc/net/ip_tables_names)
-		do
-			iptables -t $table -F
-			iptables -t $table -Z
-			iptables -t $table -X
-		done
-	fi
+    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            iptables -t $table -P $chain ACCEPT || true
+        done
+        iptables -t $table -F
+        iptables -t $table -Z
+        iptables -t $table -X
+    done
 }
 
 case "$1" in
diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables
--- iptables-persistent-1.0.11/plugins/25-ip6tables	2019-02-09 03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables	2020-07-02 16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Exit fast if IPv6 is disabled
 test -e /proc/sys/net/ipv6 || exit 0
 
@@ -29,35 +34,29 @@
 
 save_rules()
 {
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
 	#save IPv6 rules
-	#need at least ip6table_filter loaded:
-	modprobe -b -q ip6table_filter || true
-	if [ ! -f /proc/net/ip6_tables_names ]; then
-		log_action_cont_msg "Warning: skipping IPv6 (Kernel support is missing)"
-	else
-		touch /etc/iptables/rules.v6
-		ip6tables-save > /etc/iptables/rules.v6
-		chmod 0640 /etc/iptables/rules.v6
-	fi
+	touch /etc/iptables/rules.v6
+	ip6tables-save > /etc/iptables/rules.v6
+	chmod 0640 /etc/iptables/rules.v6
+    fi
 }
 
 flush_rules()
 {
-	if [ ! -f /proc/net/ip6_tables_names ]; then
-		echo "Warning: skipping IPv6 (Kernel support is missing)"
-        elif [ $(which ip6tables) ]; then
-		for chain in INPUT FORWARD OUTPUT
-		do
-			ip6tables -P $chain ACCEPT
-		done
-		for param in F Z X; do ip6tables -$param; done
-		for table in $(cat /proc/net/ip6_tables_names)
-		do
-			ip6tables -t $table -F
-			ip6tables -t $table -Z
-			ip6tables -t $table -X
-		done
-	fi
+    TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            ip6tables -t $table -P $chain ACCEPT || true
+        done
+        ip6tables -t $table -F
+        ip6tables -t $table -Z
+        ip6tables -t $table -X
+    done
 }
 
 case "$1" in
Reply to: