Bug#963340: buster-pu: package iptables-persistent/1.0.14

Thu, 02 Jul 2020 08:13:13 -0700 

On Thu, Jul 02, 2020 at 12:20:20PM +0200, gustavo panizzo wrote:


Would you accept an upload fixing #961589 [2], #963012 [3], changing
the flush mechanism [4] and allowing granular configuration of the save
action [5]?


here is the debdiff for those changes


Quick test shows that works fine, I'll test it more and report back
in a few days

cheers

--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333

diff -Nru iptables-persistent-1.0.11/debian/changelog 
iptables-persistent-1.0.11+deb10u1/debian/changelog
--- iptables-persistent-1.0.11/debian/changelog 2019-02-09 05:36:39.000000000 
+0100
+++ iptables-persistent-1.0.11+deb10u1/debian/changelog 2020-07-02 
16:26:05.000000000 +0200
@@ -1,3 +1,16 @@
+iptables-persistent (1.0.11+deb10u1) buster; urgency=medium
+
+  * [cdc4a5] Do not load modules.
+    Thanks to Thorsten Glaser <t...@mirbsd.de>
+    (Closes: #963012)
+  * [cdc4a5] Do not call log_action_cont_msg()
+    Thanks to Synthea <genom...@firemail.cc>
+    (Closes: #961589)
+  * [b6e6f9] Backport the logic to flush rules from 1.0.14
+  * [60a86f] Allow granular configuration for the save action
+
+ -- gustavo panizzo <g...@zumbi.com.ar>  Thu, 02 Jul 2020 14:26:05 +0000
+
 iptables-persistent (1.0.11) unstable; urgency=medium
 
   * [e491d7] Make iptables-persistent to Pre-Depends on iptables.
diff -Nru iptables-persistent-1.0.11/debian/netfilter-persistent.default 
iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default
--- iptables-persistent-1.0.11/debian/netfilter-persistent.default      
2018-10-10 13:08:41.000000000 +0200
+++ iptables-persistent-1.0.11+deb10u1/debian/netfilter-persistent.default      
2020-07-02 16:26:05.000000000 +0200
@@ -2,3 +2,9 @@
 # Plugins may extend this file or have their own
 
 FLUSH_ON_STOP=0
+
+# Set to yes to skip saving rules/sets when netfilter-persistent is called with
+# the save parameter
+# IPTABLES_SKIP_SAVE=yes
+# IP6TABLES_SKIP_SAVE=yes
+# IPSET_SKIP_SAVE=yes
diff -Nru iptables-persistent-1.0.11/plugins/10-ipset 
iptables-persistent-1.0.11+deb10u1/plugins/10-ipset
--- iptables-persistent-1.0.11/plugins/10-ipset 2019-02-09 03:10:09.000000000 
+0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/10-ipset 2020-07-02 
16:26:05.000000000 +0200
@@ -17,6 +17,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Create the ipsets and populate them
 load_sets ()
 {
@@ -31,9 +36,11 @@
 # Save current contents of the ipsets to file
 save_sets ()
 {
-               touch /etc/iptables/ipsets
-               chmod 0640 /etc/iptables/ipsets
-               ipset save > /etc/iptables/ipsets
+    if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then
+       touch /etc/iptables/ipsets
+       chmod 0640 /etc/iptables/ipsets
+       ipset save > /etc/iptables/ipsets
+    fi
 }
 
 # flush sets
diff -Nru iptables-persistent-1.0.11/plugins/15-ip4tables 
iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables
--- iptables-persistent-1.0.11/plugins/15-ip4tables     2019-02-09 
03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/15-ip4tables     2020-07-02 
16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 load_rules()
 {
        #load IPv4 rules
@@ -26,35 +31,29 @@
 
 save_rules()
 {
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
        #save IPv4 rules
-       #need at least iptable_filter loaded:
-       modprobe -b -q iptable_filter || true
-       if [ ! -f /proc/net/ip_tables_names ]; then
-               echo "Warning: skipping IPv4 (Kernel support is missing)"
-        else
-               touch /etc/iptables/rules.v4
-               chmod 0640 /etc/iptables/rules.v4
-               iptables-save > /etc/iptables/rules.v4
-       fi
+       touch /etc/iptables/rules.v4
+       chmod 0640 /etc/iptables/rules.v4
+       iptables-save > /etc/iptables/rules.v4
+    fi
 }
 
 flush_rules()
 {
-       if [ ! -f /proc/net/ip_tables_names ]; then
-               log_action_cont_msg "Warning: skipping IPv4 (Kernel support is 
missing)"
-        elif [ $(which iptables) ]; then
-               for chain in INPUT FORWARD OUTPUT
-               do
-                       iptables -P $chain ACCEPT
-               done
-               for param in F Z X; do iptables -$param; done
-               for table in $(cat /proc/net/ip_tables_names)
-               do
-                       iptables -t $table -F
-                       iptables -t $table -Z
-                       iptables -t $table -X
-               done
-       fi
+    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            iptables -t $table -P $chain ACCEPT || true
+        done
+        iptables -t $table -F
+        iptables -t $table -Z
+        iptables -t $table -X
+    done
 }
 
 case "$1" in
diff -Nru iptables-persistent-1.0.11/plugins/25-ip6tables 
iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables
--- iptables-persistent-1.0.11/plugins/25-ip6tables     2019-02-09 
03:10:09.000000000 +0100
+++ iptables-persistent-1.0.11+deb10u1/plugins/25-ip6tables     2020-07-02 
16:26:05.000000000 +0200
@@ -14,6 +14,11 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
 # Exit fast if IPv6 is disabled
 test -e /proc/sys/net/ipv6 || exit 0
 
@@ -29,35 +34,29 @@
 
 save_rules()
 {
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
        #save IPv6 rules
-       #need at least ip6table_filter loaded:
-       modprobe -b -q ip6table_filter || true
-       if [ ! -f /proc/net/ip6_tables_names ]; then
-               log_action_cont_msg "Warning: skipping IPv6 (Kernel support is 
missing)"
-       else
-               touch /etc/iptables/rules.v6
-               ip6tables-save > /etc/iptables/rules.v6
-               chmod 0640 /etc/iptables/rules.v6
-       fi
+       touch /etc/iptables/rules.v6
+       ip6tables-save > /etc/iptables/rules.v6
+       chmod 0640 /etc/iptables/rules.v6
+    fi
 }
 
 flush_rules()
 {
-       if [ ! -f /proc/net/ip6_tables_names ]; then
-               echo "Warning: skipping IPv6 (Kernel support is missing)"
-        elif [ $(which ip6tables) ]; then
-               for chain in INPUT FORWARD OUTPUT
-               do
-                       ip6tables -P $chain ACCEPT
-               done
-               for param in F Z X; do ip6tables -$param; done
-               for table in $(cat /proc/net/ip6_tables_names)
-               do
-                       ip6tables -t $table -F
-                       ip6tables -t $table -Z
-                       ip6tables -t $table -X
-               done
-       fi
+    TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            ip6tables -t $table -P $chain ACCEPT || true
+        done
+        ip6tables -t $table -F
+        ip6tables -t $table -Z
+        ip6tables -t $table -X
+    done
 }
 
 case "$1" in






















					Reply via email to