tags 679840 + patch thanks Hi Jonathan,
I prepared a new version to fix this RC bug so we hopefully could get something above 0.5.4 in wheeze. After pondering a long time on how we could get the modprobe checks working in a chroot. I finally think we don't need them at all. We have iptables as dependency and this should provide in the most cases Debian a system where the needed kernel modules are loaded or at least automatically loadable. On a system or in an environment where iptables couldn't run the whole iptables-package makes not much sense. Because then it isn't even possible to create iptables rules which then wouldn't be loaded by iptables-persistent during boot. So I removed the modprobe calls and the checks in the /proc filesystem from the postinst completely. Instead of that I added some checks to see if the iptables command is available and if iptables itself is capable of reading his own filter table. This should be sufficient enough to say that iptables is installed and workable in the current environment. And it has the big advantage that it would fail much more gracefully if iptables wouldn't work, like in a chroot. It would be great if you could do a review and sponsor my package. You can download the package via dget: dget -x http://mentors.debian.net/debian/pool/main/i/iptables-persistent/iptables-persistent_0.5.6.dsc And you can find the corresponding patches attached to this mail or cherry pick them from this git repo in branch bug679840: git://anonscm.debian.org/collab-maint/iptables-persistent.git http://anonscm.debian.org/git/collab-maint/iptables-persistent.git Cheers, Andreas -- Andreas Rütten andreasruet...@gmx.de 4096R: 0x6C9DFFB2 / 8394 99DA 59BD BCE2 3FC8 3A9E 6633 0089 6C9D FFB2
From 6b6358d67184aea3758bf73c74b27bc059c51ae2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20R=C3=BCtten?= <andreasruet...@gmx.de>
Date: Thu, 2 Aug 2012 22:39:57 +0200
Subject: [PATCH 1/3] Instead of checking on modules, test a working iptables
more directly
Information about the loaded kernel modules or the proc filesystem
aren't always available. For example in chroots or other virtual
environments.
Instead of testing if the iptables_filter module is loaded/loadable
via modprobe or if something is under /proc let's check if iptables is
available and do a check if iptables itself is capable of reading his
filter table.
This should be sufficient enough to say that iptables is installed and
workable in the current environment.
This should fix Bug #679840.
---
debian/iptables-persistent.postinst | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/debian/iptables-persistent.postinst b/debian/iptables-persistent.postinst
index 355715b..18dec7d 100644
--- a/debian/iptables-persistent.postinst
+++ b/debian/iptables-persistent.postinst
@@ -11,20 +11,26 @@ configure)
if [ "x$RET" != "xtrue" ]; then
db_get iptables-persistent/autosave_v4 || true
if [ "x$RET" = "xtrue" ]; then
- modprobe -q iptable_filter
- if [ $? -eq 0 ] && [ -f /proc/net/ip_tables_names ]; then
- iptables-save > /etc/iptables/rules.v4
- else
- echo "IPv4: Unable to save (module not loaded)"
+ if which iptables > /dev/null ; then
+ if iptables -t filter -L -n > /dev/null; then
+ iptables-save > /etc/iptables/rules.v4
+ else
+ echo "IPv4: Unable to save (table filter isn't available or module not loadable)"
+ fi
+ else
+ echo "IPv4: Can't find iptables in $PATH, please check your system"
fi
fi
db_get iptables-persistent/autosave_v6 || true
if [ "x$RET" = "xtrue" ]; then
- modprobe -q ip6table_filter
- if [ $? -eq 0 ] && [ -f /proc/net/ip_tables_names ]; then
- ip6tables-save > /etc/iptables/rules.v6
- else
- echo "IPv6: Unable to save (module not loaded)"
+ if which ip6tables > /dev/null ; then
+ if ip6tables -t filter -L -n > /dev/null; then
+ ip6tables-save > /etc/iptables/rules.v6
+ else
+ echo "IPv6: Unable to save (table filter isn't available or module not loadable)"
+ fi
+ else
+ echo "IPv6: Can't find ip6tables in $PATH, please check your system"
fi
fi
--
1.7.9.5
From 1db63c9182691f29f0cb96cfa91296dd1f509f22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20R=C3=BCtten?= <andreasruet...@gmx.de>
Date: Thu, 2 Aug 2012 22:42:22 +0200
Subject: [PATCH 2/3] Remove dependency on kmod
After removing all calls of modprobe in postinst remove also the dependency
on kmod. It was added in commit 5751766 for only these modprobe calls.
---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 1bc8598..88299ee 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Vcs-Git: git://robin.powdarrmonkey.net/git/iptables-persistent/
Package: iptables-persistent
Architecture: all
-Depends: iptables, lsb-base, kmod, ${misc:Depends}
+Depends: iptables, lsb-base, ${misc:Depends}
Description: boot-time loader for iptables rules
This package provides a system startup script that restores iptables
rules from a configuration file.
--
1.7.9.5
From 9c1694dd6ca61404ee276f2be883ea7cf1007170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20R=C3=BCtten?= <andreasruet...@gmx.de> Date: Thu, 2 Aug 2012 22:50:37 +0200 Subject: [PATCH 3/3] Changelog entries for 0.5.6 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 406c826..bc0bb6e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +iptables-persistent (0.5.6) unstable; urgency=low + + * [6b6358] Instead of checking on modules, test a working iptables more + directly (Closes: #679840) + * [1db63c] Remove dependency on kmod + + -- Andreas Rütten <andreasruet...@gmx.de> Thu, 02 Aug 2012 22:50:05 +0200 + iptables-persistent (0.5.5) unstable; urgency=low * Regressions were found in the previous release, this version fixes them -- 1.7.9.5
signature.asc
Description: PGP signature
