Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hello release team I'd like to fix the bugs #961589 and #963012 in Buster uploading iptables-persistent 1.0.14 which is already in testing and backports. The updated package has been part of backports since Oct 2019 without report of problems, I personally use it on all systems I administer without problems. Besides fixing this 2 bugs this version changes the way iptables rules are flush (to be better IMHO), allows to toggle the rule saving for individual components (iptables, ip6tables and ipset) without changing the defaults and setups the iptables, ip6tables and ipset services in systemd using alternatives (See #926927) I've attached a debdiff to this report thanks! -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru iptables-persistent-1.0.11/debian/changelog iptables-persistent-1.0.14+deb10u1/debian/changelog --- iptables-persistent-1.0.11/debian/changelog 2019-02-09 05:36:39.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/changelog 2020-06-21 21:12:04.000000000 +0200 @@ -1,3 +1,39 @@ +iptables-persistent (1.0.14+deb10u1) buster; urgency=medium + + * Rebuild for buster-updates. + + -- gustavo panizzo <g...@zumbi.com.ar> Sun, 21 Jun 2020 19:12:04 +0000 + +iptables-persistent (1.0.14) unstable; urgency=medium + + * [401a9f] No longer load modules. + Thanks to Jérémie LEGRAND (Closes: 932196) + * [933938] Implement a new logic to flush firewall rules + * [824486] Add variable Pre-Depends as required by init-system-helpers and debhelper 12 + * [3ed371] Run wrap-and-sort + + -- gustavo panizzo <g...@zumbi.com.ar> Fri, 13 Sep 2019 19:16:28 +0200 + +iptables-persistent (1.0.13) unstable; urgency=medium + + * Upload to unstable + * [30244a] Standards version 4.4.0 (no changes) + * [242e35] Provide the virtual systemd units iptables.service and + ipset.service. + Thanks to Laurent Bigonville for the bug report (Closes: #926927) + * [3a751c] Remove Jonathan Wiltshire as Maintainer and add myself + * [7303da] Add Documentation to the systemd unit + * [320e48] Use debhelper 12 + + -- gustavo panizzo <g...@zumbi.com.ar> Mon, 26 Aug 2019 21:27:58 +0200 + +iptables-persistent (1.0.12) experimental; urgency=medium + + * [3ca86e] Use white space and tabs consistently + * [d5726c] Allow granular configuration for the save action + + -- gustavo panizzo <g...@zumbi.com.ar> Wed, 27 Mar 2019 14:34:28 +0800 + iptables-persistent (1.0.11) unstable; urgency=medium * [e491d7] Make iptables-persistent to Pre-Depends on iptables. diff -Nru iptables-persistent-1.0.11/debian/compat iptables-persistent-1.0.14+deb10u1/debian/compat --- iptables-persistent-1.0.11/debian/compat 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/compat 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -11 diff -Nru iptables-persistent-1.0.11/debian/control iptables-persistent-1.0.14+deb10u1/debian/control --- iptables-persistent-1.0.11/debian/control 2019-02-09 05:28:03.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/control 2020-06-21 21:12:04.000000000 +0200 @@ -1,10 +1,9 @@ Source: iptables-persistent Section: admin Priority: optional -Maintainer: Jonathan Wiltshire <j...@debian.org> -Uploaders: gustavo panizzo <g...@zumbi.com.ar> -Build-Depends: debhelper (>= 11.0.0), po-debconf -Standards-Version: 4.3.0 +Maintainer: gustavo panizzo <g...@zumbi.com.ar> +Standards-Version: 4.4.0 +Build-Depends: debhelper-compat (= 12), dh-exec, po-debconf Vcs-Browser: https://salsa.debian.org/debian/iptables-persistent.git Vcs-Git: https://salsa.debian.org/debian/iptables-persistent.git @@ -14,6 +13,7 @@ Breaks: iptables-persistent (<< 1~) Replaces: iptables-persistent (<< 1~) Suggests: iptables-persistent +Pre-Depends: ${misc:Pre-Depends} Description: boot-time loader for netfilter configuration This package provides a loader for netfilter configuration using a plugin-based architecture. It can load, flush and save a running @@ -23,7 +23,7 @@ Package: iptables-persistent Architecture: all Depends: netfilter-persistent (= ${source:Version}), ${misc:Depends} -Pre-Depends: iptables +Pre-Depends: iptables, ${misc:Pre-Depends} Description: boot-time loader for netfilter rules, iptables plugin netfilter-persistent is a loader for netfilter configuration using a plugin-based architecture. @@ -32,6 +32,7 @@ Package: ipset-persistent Architecture: all +Pre-Depends: ${misc:Pre-Depends} Depends: ipset, netfilter-persistent (= ${source:Version}), ${misc:Depends} Description: boot-time loader for netfilter rules, ipset plugin netfilter-persistent is a loader for netfilter configuration using a diff -Nru iptables-persistent-1.0.11/debian/ipset.override iptables-persistent-1.0.14+deb10u1/debian/ipset.override --- iptables-persistent-1.0.11/debian/ipset.override 1970-01-01 01:00:00.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/ipset.override 2020-06-21 21:12:04.000000000 +0200 @@ -0,0 +1,2 @@ +[Unit] +Conflicts=ipset.service diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.install iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.install --- iptables-persistent-1.0.11/debian/ipset-persistent.install 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.install 2020-06-21 21:12:04.000000000 +0200 @@ -1,2 +1,4 @@ -plugins/10-ipset usr/share/netfilter-persistent/plugins.d/ -plugins/40-ipset usr/share/netfilter-persistent/plugins.d/ +#! /usr/bin/dh-exec +plugins/10-ipset usr/share/netfilter-persistent/plugins.d/ +plugins/40-ipset usr/share/netfilter-persistent/plugins.d/ +debian/ipset.override => etc/systemd/system/netfilter-persistent.service.d/ipset.conf diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.postinst iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.postinst --- iptables-persistent-1.0.11/debian/ipset-persistent.postinst 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.postinst 2020-06-21 21:12:04.000000000 +0200 @@ -2,6 +2,9 @@ set -e +# Setup alternatives +update-alternatives --install /lib/systemd/system/ipset.service ipset.service /lib/systemd/system/netfilter-persistent.service 40 + # Source debconf library . /usr/share/debconf/confmodule diff -Nru iptables-persistent-1.0.11/debian/ipset-persistent.prerm iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm --- iptables-persistent-1.0.11/debian/ipset-persistent.prerm 1970-01-01 01:00:00.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm 2020-06-21 21:12:04.000000000 +0200 @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +# Remove alternatives +update-alternatives --remove-all ipset.service + +#DEBHELPER# diff -Nru iptables-persistent-1.0.11/debian/iptables.override iptables-persistent-1.0.14+deb10u1/debian/iptables.override --- iptables-persistent-1.0.11/debian/iptables.override 1970-01-01 01:00:00.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/iptables.override 2020-06-21 21:12:04.000000000 +0200 @@ -0,0 +1,2 @@ +[Unit] +Conflicts=iptables.service ip6tables.service diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.install iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.install --- iptables-persistent-1.0.11/debian/iptables-persistent.install 2018-10-10 13:08:41.000000000 +0200 +++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.install 2020-06-21 21:12:04.000000000 +0200 @@ -1,2 +1,4 @@ -plugins/15-ip4tables usr/share/netfilter-persistent/plugins.d/ -plugins/25-ip6tables usr/share/netfilter-persistent/plugins.d/ +#! /usr/bin/dh-exec +plugins/15-ip4tables usr/share/netfilter-persistent/plugins.d/ +plugins/25-ip6tables usr/share/netfilter-persistent/plugins.d/ +debian/iptables.override => etc/systemd/system/netfilter-persistent.service.d/iptables.conf diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.postinst iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.postinst --- iptables-persistent-1.0.11/debian/iptables-persistent.postinst 2018-10-10 13:08:41.000000000 +0200 +++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.postinst 2020-06-21 21:12:04.000000000 +0200 @@ -2,6 +2,10 @@ set -e +# Setup alternatives +update-alternatives --install /lib/systemd/system/iptables.service iptables.service /lib/systemd/system/netfilter-persistent.service 40 \ + --slave /lib/systemd/system/ip6tables.service ip6tables.service /lib/systemd/system/netfilter-persistent.service + # Source debconf library . /usr/share/debconf/confmodule diff -Nru iptables-persistent-1.0.11/debian/iptables-persistent.prerm iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.prerm --- iptables-persistent-1.0.11/debian/iptables-persistent.prerm 1970-01-01 01:00:00.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/debian/iptables-persistent.prerm 2020-06-21 21:12:04.000000000 +0200 @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +# Setup alternatives +update-alternatives --remove-all iptables.service + +#DEBHELPER# diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.default iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.default --- iptables-persistent-1.0.11/debian/netfilter-persistent.default 2018-10-10 13:08:41.000000000 +0200 +++ iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.default 2020-06-21 21:12:04.000000000 +0200 @@ -2,3 +2,9 @@ # Plugins may extend this file or have their own FLUSH_ON_STOP=0 + +# Set to yes to skip saving rules/sets when netfilter-persistent is called with +# the save parameter +# IPTABLES_SKIP_SAVE=yes +# IP6TABLES_SKIP_SAVE=yes +# IPSET_SKIP_SAVE=yes diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.install iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.install --- iptables-persistent-1.0.11/debian/netfilter-persistent.install 2018-10-10 13:08:41.000000000 +0200 +++ iptables-persistent-1.0.14+deb10u1/debian/netfilter-persistent.install 2020-06-21 21:12:04.000000000 +0200 @@ -1,2 +1,2 @@ -usr lib +usr diff -Nru iptables-persistent-1.0.11/netfilter-persistent iptables-persistent-1.0.14+deb10u1/netfilter-persistent --- iptables-persistent-1.0.11/netfilter-persistent 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/netfilter-persistent 2020-06-21 21:12:04.000000000 +0200 @@ -2,7 +2,7 @@ # This file is part of netfilter-persistent # Copyright (C) 2014 Jonathan Wiltshire -# +# # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation, either version 3 diff -Nru iptables-persistent-1.0.11/plugins/10-ipset iptables-persistent-1.0.14+deb10u1/plugins/10-ipset --- iptables-persistent-1.0.11/plugins/10-ipset 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/plugins/10-ipset 2020-06-21 21:12:04.000000000 +0200 @@ -17,23 +17,30 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# Source configuration +if [ -f "/etc/default/netfilter-persistent" ]; then + . /etc/default/netfilter-persistent +fi + # Create the ipsets and populate them load_sets () { - #load ipset rules - if [ ! -f /etc/iptables/ipsets ]; then - echo "Warning: skipping IPv4 (no rules to load)" - else - ipset restore -exist < /etc/iptables/ipsets - fi + #load ipset rules + if [ ! -f /etc/iptables/ipsets ]; then + echo "Warning: skipping IPv4 (no rules to load)" + else + ipset restore -exist < /etc/iptables/ipsets + fi } # Save current contents of the ipsets to file save_sets () { - touch /etc/iptables/ipsets - chmod 0640 /etc/iptables/ipsets - ipset save > /etc/iptables/ipsets + if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then + touch /etc/iptables/ipsets + chmod 0640 /etc/iptables/ipsets + ipset save > /etc/iptables/ipsets + fi } # flush sets @@ -45,19 +52,19 @@ case "$1" in start|restart|reload|force-reload) - load_sets - ;; + load_sets + ;; save) - save_sets - ;; + save_sets + ;; stop) - # While it makes sense to stop (delete) ipsets we keep the same - # semanthics as ip(6)?tables rules - echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" - ;; + # While it makes sense to stop (delete) ipsets we keep the same + # semanthics as ip(6)?tables rules + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; flush) - flush_sets - ;; + flush_sets + ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables iptables-persistent-1.0.14+deb10u1/plugins/15-ip4tables --- iptables-persistent-1.0.11/plugins/15-ip4tables 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/plugins/15-ip4tables 2020-06-21 21:12:04.000000000 +0200 @@ -14,65 +14,63 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# Source configuration +if [ -f "/etc/default/netfilter-persistent" ]; then + . /etc/default/netfilter-persistent +fi + load_rules() { - #load IPv4 rules - if [ ! -f /etc/iptables/rules.v4 ]; then - echo "Warning: skipping IPv4 (no rules to load)" - else - iptables-restore < /etc/iptables/rules.v4 - fi + #load IPv4 rules + if [ ! -f /etc/iptables/rules.v4 ]; then + echo "Warning: skipping IPv4 (no rules to load)" + else + iptables-restore < /etc/iptables/rules.v4 + fi } save_rules() { - #save IPv4 rules - #need at least iptable_filter loaded: - modprobe -b -q iptable_filter || true - if [ ! -f /proc/net/ip_tables_names ]; then - echo "Warning: skipping IPv4 (Kernel support is missing)" - else - touch /etc/iptables/rules.v4 - chmod 0640 /etc/iptables/rules.v4 - iptables-save > /etc/iptables/rules.v4 - fi + if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then + touch /etc/iptables/rules.v4 + chmod 0640 /etc/iptables/rules.v4 + iptables-save > /etc/iptables/rules.v4 + fi } flush_rules() { - if [ ! -f /proc/net/ip_tables_names ]; then - log_action_cont_msg "Warning: skipping IPv4 (Kernel support is missing)" - elif [ $(which iptables) ]; then - for chain in INPUT FORWARD OUTPUT - do - iptables -P $chain ACCEPT - done - for param in F Z X; do iptables -$param; done - for table in $(cat /proc/net/ip_tables_names) - do - iptables -t $table -F - iptables -t $table -Z - iptables -t $table -X - done - fi + TABLES=$(iptables-save | sed -E -n 's/^\*//p') + for table in $TABLES + do + CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p') + for chain in $CHAINS + do + # policy can't be set on user-defined chains + iptables -t $table -P $chain ACCEPT || true + done + iptables -t $table -F + iptables -t $table -Z + iptables -t $table -X + done } case "$1" in start|restart|reload|force-reload) - load_rules - ;; + load_rules + ;; save) - save_rules - ;; + save_rules + ;; stop) - # Why? because if stop is used, the firewall gets flushed for a variable - # amount of time during package upgrades, leaving the machine vulnerable - # It's also not always desirable to flush during purge - echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" - ;; + # Why? because if stop is used, the firewall gets flushed for a variable + # amount of time during package upgrades, leaving the machine vulnerable + # It's also not always desirable to flush during purge + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; flush) - flush_rules - ;; + flush_rules + ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables iptables-persistent-1.0.14+deb10u1/plugins/25-ip6tables --- iptables-persistent-1.0.11/plugins/25-ip6tables 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/plugins/25-ip6tables 2020-06-21 21:12:04.000000000 +0200 @@ -19,63 +19,56 @@ load_rules() { - #load IPv6 rules - if [ ! -f /etc/iptables/rules.v6 ]; then - echo "Warning: skipping IPv6 (no rules to load)" - else - ip6tables-restore < /etc/iptables/rules.v6 - fi + #load IPv6 rules + if [ ! -f /etc/iptables/rules.v6 ]; then + echo "Warning: skipping IPv6 (no rules to load)" + else + ip6tables-restore < /etc/iptables/rules.v6 + fi } save_rules() { - #save IPv6 rules - #need at least ip6table_filter loaded: - modprobe -b -q ip6table_filter || true - if [ ! -f /proc/net/ip6_tables_names ]; then - log_action_cont_msg "Warning: skipping IPv6 (Kernel support is missing)" - else - touch /etc/iptables/rules.v6 - ip6tables-save > /etc/iptables/rules.v6 - chmod 0640 /etc/iptables/rules.v6 - fi + if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then + touch /etc/iptables/rules.v6 + ip6tables-save > /etc/iptables/rules.v6 + chmod 0640 /etc/iptables/rules.v6 + fi } flush_rules() { - if [ ! -f /proc/net/ip6_tables_names ]; then - echo "Warning: skipping IPv6 (Kernel support is missing)" - elif [ $(which ip6tables) ]; then - for chain in INPUT FORWARD OUTPUT - do - ip6tables -P $chain ACCEPT - done - for param in F Z X; do ip6tables -$param; done - for table in $(cat /proc/net/ip6_tables_names) - do - ip6tables -t $table -F - ip6tables -t $table -Z - ip6tables -t $table -X - done - fi + TABLES=$(ip6tables-save | sed -E -n 's/^\*//p') + for table in $TABLES + do + CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p') + for chain in $CHAINS + do + # policy can't be set on user-defined chains + ip6tables -t $table -P $chain ACCEPT || true + done + ip6tables -t $table -F + ip6tables -t $table -Z + ip6tables -t $table -X + done } case "$1" in start|restart|reload|force-reload) - load_rules - ;; + load_rules + ;; save) - save_rules - ;; + save_rules + ;; stop) - # Why? because if stop is used, the firewall gets flushed for a variable - # amount of time during package upgrades, leaving the machine vulnerable - # It's also not always desirable to flush during purge - echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" - ;; + # Why? because if stop is used, the firewall gets flushed for a variable + # amount of time during package upgrades, leaving the machine vulnerable + # It's also not always desirable to flush during purge + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; flush) - flush_rules - ;; + flush_rules + ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 diff -Nru iptables-persistent-1.0.11/plugins/40-ipset iptables-persistent-1.0.14+deb10u1/plugins/40-ipset --- iptables-persistent-1.0.11/plugins/40-ipset 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/plugins/40-ipset 2020-06-21 21:12:04.000000000 +0200 @@ -16,6 +16,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# Source configuration +if [ -f "/etc/default/netfilter-persistent" ]; then + . /etc/default/netfilter-persistent +fi + # Create the ipsets and populate them load_sets () { @@ -37,19 +42,19 @@ case "$1" in start|restart|reload|force-reload) - load_sets - ;; + load_sets + ;; save) - save_sets - ;; + save_sets + ;; stop) - # While it makes sense to stop (delete) ipsets we keep the same - # semanthics as ip(6)?tables rules - echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" - ;; + # While it makes sense to stop (delete) ipsets we keep the same + # semanthics as ip(6)?tables rules + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; flush) - flush_sets - ;; + flush_sets + ;; *) echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 exit 1 diff -Nru iptables-persistent-1.0.11/systemd/netfilter-persistent.service iptables-persistent-1.0.14+deb10u1/systemd/netfilter-persistent.service --- iptables-persistent-1.0.11/systemd/netfilter-persistent.service 2019-02-09 03:10:09.000000000 +0100 +++ iptables-persistent-1.0.14+deb10u1/systemd/netfilter-persistent.service 2020-06-21 21:12:04.000000000 +0200 @@ -5,6 +5,7 @@ Before=network-pre.target shutdown.target After=systemd-modules-load.service local-fs.target Conflicts=shutdown.target +Documentation=man:netfilter-persistent(8) [Service] Type=oneshot
