Package: iptables-persistent
Version: 0.5.2
Severity: wishlist

Hello,

Trying to give a try to iptables-persistent, I fell onto the following 
problem: I got "skipping IPv4 (no module loaded)" message at startup 
(same for IPV6) whereas doing "up /sbin/iptables-restore < 
/etc/iptables/rules.v4" in my /etc/network/interface load my iptables 
rules at startup without any error.

The init script (load_rules) checks if /proc/net/ip_tables_names is 
present before loading the rules, meaning that tables modules must be 
loaded first. It seems that with current iptables and kernels shipped 
with Debian, it is not necessary. If I comment the part with the 
/proc/net/ip_tables_names test, my rules are loaded at startup.

man iptables states:
"-t, --table table
This  option  specifies the packet matching table which the command 
should operate on. If the kernel is configured with automatic module 
loading, an attempt will be made to load the appropriate module for
that table if it is not already there."

And kernels in Wheezy seem to automatic load the appropriate modules.

I understand that iptables-persistent should take into account other 
kernels than the official Debian ones, but I still wonder if the test is 
really necessary. If modules cannot be loaded automatically and if 
/proc/net/ip_tables_names does not exist, iptables-restore will just 
fail and the result will be the same (no rules loaded).

Moreover, the initscript checks if the table modules are loaded, not if 
that other specific modules required by the rules in 
/etc/iptables/rules.v4 can be loaded (but risk is limited here if the 
rules.v4 is created with the debconf script or by 
/etc/init.d/iptables-presistent save_rules).

There might be some good reasons doing it that way, I such case, please 
disregard this bug report (and close it).

Best regards

Pascal Dormeau

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iptables-persistent depends on:
ii  debconf [debconf-2.0]         1.5.40     Debian configuration management sy
ii  iptables                      1.4.12-1   administration tools for packet fi
ii  lsb-base                      3.2-27     Linux Standard Base 3.2 init scrip

iptables-persistent recommends no packages.

iptables-persistent suggests no packages.

-- Configuration Files:
/etc/init.d/iptables-persistent changed:
.. /lib/lsb/init-functions
rc=0
load_rules()
{
        log_action_begin_msg "Loading iptables rules"
        #load IPv4 rules
        if [ -f /etc/iptables/rules.v4 ]; then
                log_action_cont_msg " IPv4"
                iptables-restore < /etc/iptables/rules.v4 2> /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
        #load IPv6 rules        
        if [ -f /etc/iptables/rules.v6 ]; then
                log_action_cont_msg " IPv6"
                ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
        log_action_end_msg $rc
}
save_rules()
{
        log_action_begin_msg "Saving rules"
        #save IPv4 rules
        if [ ! -f /proc/net/ip_tables_names ]; then
                log_action_cont_msg " skipping IPv4 (no module loaded)"
        elif [ -x /sbin/iptables-save ]; then
                log_action_cont_msg " IPv4"
                iptables-save > /etc/iptables/rules.v4
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
        #save IPv6 rules
        if [ ! -f /proc/net/ip6_tables_names ]; then
                log_action_cont_msg " skipping IPv6 (no module loaded)"
        elif [ -x /sbin/ip6tables-save ]; then
                log_action_cont_msg " IPv6"
                ip6tables-save > /etc/iptables/rules.v6
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
        log_action_end_msg $rc
}
flush_rules()
{
        log_action_begin_msg "Flushing rules"
        if [ ! -f /proc/net/ip_tables_names ]; then
                log_action_cont_msg " skipping IPv4 (no module loaded)"
        elif [ -x /sbin/iptables ]; then
                log_action_cont_msg " IPv4"
                for param in F Z X; do /sbin/iptables -$param; done
                for table in $(</proc/net/ip_tables_names)
                do
                        /sbin/iptables -t $table -F
                        /sbin/iptables -t $table -Z
                        /sbin/iptables -t $table -X
                done
                for chain in INPUT FORWARD OUTPUT
                do
                        /sbin/iptables -P $chain ACCEPT
                done
        fi
        
        if [ ! -f /proc/net/ip6_tables_names ]; then
                log_action_cont_msg " skipping IPv6 (no module loaded)"
        elif [ -x /sbin/ip6tables ]; then
                log_action_cont_msg " IPv6"
                for param in F Z X; do /sbin/ip6tables -$param; done
                for table in $(</proc/net/ip6_tables_names)
                do
                        /sbin/ip6tables -t $table -F
                        /sbin/ip6tables -t $table -Z
                        /sbin/ip6tables -t $table -X
                done
                for chain in INPUT FORWARD OUTPUT
                do
                        /sbin/ip6tables -P $chain ACCEPT
                done
        fi
        log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
        load_rules
        ;;
save)
        save_rules
        ;;
stop)
        # Why? because if stop is used, the firewall gets flushed for a variable
        # amount of time during package upgrades, leaving the machine vulnerable
        # It's also not always desirable to flush during purge
        echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
        ;;
flush)
        flush_rules
        ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac
exit $rc


-- debconf information:
* iptables-persistent/autosave_v6: true
* iptables-persistent/autosave_v4: true



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to