Package: iptables-persistent
Version: 0.5.2
Severity: wishlist
Hello,
Trying to give a try to iptables-persistent, I fell onto the following
problem: I got "skipping IPv4 (no module loaded)" message at startup
(same for IPV6) whereas doing "up /sbin/iptables-restore <
/etc/iptables/rules.v4" in my /etc/network/interface load my iptables
rules at startup without any error.
The init script (load_rules) checks if /proc/net/ip_tables_names is
present before loading the rules, meaning that tables modules must be
loaded first. It seems that with current iptables and kernels shipped
with Debian, it is not necessary. If I comment the part with the
/proc/net/ip_tables_names test, my rules are loaded at startup.
man iptables states:
"-t, --table table
This option specifies the packet matching table which the command
should operate on. If the kernel is configured with automatic module
loading, an attempt will be made to load the appropriate module for
that table if it is not already there."
And kernels in Wheezy seem to automatic load the appropriate modules.
I understand that iptables-persistent should take into account other
kernels than the official Debian ones, but I still wonder if the test is
really necessary. If modules cannot be loaded automatically and if
/proc/net/ip_tables_names does not exist, iptables-restore will just
fail and the result will be the same (no rules loaded).
Moreover, the initscript checks if the table modules are loaded, not if
that other specific modules required by the rules in
/etc/iptables/rules.v4 can be loaded (but risk is limited here if the
rules.v4 is created with the debconf script or by
/etc/init.d/iptables-presistent save_rules).
There might be some good reasons doing it that way, I such case, please
disregard this bug report (and close it).
Best regards
Pascal Dormeau
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iptables-persistent depends on:
ii debconf [debconf-2.0] 1.5.40 Debian configuration management sy
ii iptables 1.4.12-1 administration tools for packet fi
ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip
iptables-persistent recommends no packages.
iptables-persistent suggests no packages.
-- Configuration Files:
/etc/init.d/iptables-persistent changed:
.. /lib/lsb/init-functions
rc=0
load_rules()
{
log_action_begin_msg "Loading iptables rules"
#load IPv4 rules
if [ -f /etc/iptables/rules.v4 ]; then
log_action_cont_msg " IPv4"
iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
#load IPv6 rules
if [ -f /etc/iptables/rules.v6 ]; then
log_action_cont_msg " IPv6"
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
save_rules()
{
log_action_begin_msg "Saving rules"
#save IPv4 rules
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables-save ]; then
log_action_cont_msg " IPv4"
iptables-save > /etc/iptables/rules.v4
if [ $? -ne 0 ]; then
rc=1
fi
fi
#save IPv6 rules
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables-save ]; then
log_action_cont_msg " IPv6"
ip6tables-save > /etc/iptables/rules.v6
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
flush_rules()
{
log_action_begin_msg "Flushing rules"
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables ]; then
log_action_cont_msg " IPv4"
for param in F Z X; do /sbin/iptables -$param; done
for table in $(</proc/net/ip_tables_names)
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -Z
/sbin/iptables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/iptables -P $chain ACCEPT
done
fi
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables ]; then
log_action_cont_msg " IPv6"
for param in F Z X; do /sbin/ip6tables -$param; done
for table in $(</proc/net/ip6_tables_names)
do
/sbin/ip6tables -t $table -F
/sbin/ip6tables -t $table -Z
/sbin/ip6tables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/ip6tables -P $chain ACCEPT
done
fi
log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc
-- debconf information:
* iptables-persistent/autosave_v6: true
* iptables-persistent/autosave_v4: true
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]