Bug#958671: firehol-common: Lack of version dependency on iptables caused problems with legacy

Fri, 24 Apr 2020 04:00:40 -0700 

Package: firehol-common
Version: 3.1.6+ds-8
Severity: important

Dear Maintainer,

* What led up to the situation?

I recently upgraded my firewall from stretch to buster. For the first
time, I did an apt-get upgrade before apt-get dist-upgrade, I usually
just do the latter. This broke the system.

* What exactly did you do (or not do) that was effective (or
     ineffective)?

When restarting firehol, it complained that it could not find
iptables-legacy etc. 

* What was the outcome of this action?

Firehol didn't start.

* What outcome did you expect instead?

Firehol should have started after upgrade.

This is my interpretation of the problem and the solution:
iptables-legacy is found by running /usr/lib/firehol/install.config,
where it is now coded. Since my iptables package was still the old
one, because I ran the upgrade with upgrade and not dist-upgrade, no
iptables-legacy was present, just the iptables command.  When that
failed, IPTABLES_CMD was not set, and therefore, nothing could run
firehol and therefore set the iptables rules. 

My initial reaction was to change the IPTABLES_CMD, but that was the
wrong solution, I should have upgraded the iptables package too. When
I did that, things started to work again. I didn't think much about
it, but now I figured this is a problem with the Debian package. If
the Debian package had declared a version dependency to the version
where the iptables-legacy was present, this would not have happened.

Thus, it seems to me like an important bug that can be fixed in Debian
by declaring which version iptables-legacy first appeared.


-- System Information:
Debian Release: 10.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firehol-common depends on:
ii  iprange       1.0.4+ds-2
ii  iproute2      4.20.0-2
ii  ipset         6.38-1.2
ii  iptables      1.8.2-4
ii  iputils-ping  3:20180629-2
ii  kmod          26-1
ii  lsb-base      10.2019051400
ii  nfacct        1.0.2-2
ii  procps        2:3.3.15-2
ii  tcpdump       4.9.3-1~deb10u1
ii  traceroute    1:2.1.0-2

Versions of packages firehol-common recommends:
ii  firehol  3.1.6+ds-8
ii  fireqos  3.1.6+ds-8
ii  less     487-0.1+b1

firehol-common suggests no packages.

-- no debconf information

Reply via email to