Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
I would like to update iptables-persistent in jessie to fix a minor information disclosure bug. This update also takes the opportunity to apply the correct README and install it for both packages, and update VCS links. -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff --git a/debian/README b/debian/README index fc62b23..c8dad16 100644 --- a/debian/README +++ b/debian/README @@ -1,17 +1,22 @@ -The Debian Package iptables-persistent ----------------------------- +netfilter-persistent and its plugins +------------------------------------ -This is a very simple script that restores the file /etc/iptables/rules.v4 as -the active ruleset at system boot. +netfilter-persistent does no work on its own. You need the accompanying +plugins (for example, iptables-persistent) to load and save filter rules. -If it exists, IPv6 rules are also restored from /etc/iptables/rules.v6 +However, commands are run from netfilter-persistent. For example, to save +all filter rules: -Loading of rules is guaranteed to happen before network interfaces are -brought up. + netfilter-persistent save -To save the current ruleset, use "iptables-save >/etc/iptables/rules.v4" -or "ip6tables-save >/etc/iptables/rules.v6", or -"invoke-rc.d iptables-persistent save" +or to load them: - -- Simon Richter <s...@debian.org> Wed, 01 Jul 2009 13:43:43 +0200 - -- Jonathan Wiltshire <j...@debian.org> Thu, 30 Dec 2010 00:00:00 +0000 + netfilter-persistent start + +For more details, see `man netfilter-persistent`. + +The system service will try to load rules at startup if enabled, but by +default it will not flush rules at shutdown. This behaviour can be changed +by editing /etc/default/netfilter-persistent. + + -- Jonathan Wiltshire <j...@debian.org> Sat, 02 Jan 2016 00:00:00 +0000 diff --git a/debian/changelog b/debian/changelog index 8b688e5..0241b13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +iptables-persistent (1.0.3+deb8u1) jessie; urgency=medium + + * [10cab8] Stop rules files being world-readable. + Thanks to Bernhard Thaler (Closes: #764645) + * [dbeffc] Rewrite README, install for both packages (Closes: #807285) + * [dcd3f5] Update VCS links + * [e0e1cf] Re-tab plugins/15-ip4tables and plugins/25-ip6tables + + -- Jonathan Wiltshire <j...@debian.org> Sat, 02 Jan 2016 21:17:03 +0000 + iptables-persistent (1.0.3) unstable; urgency=medium * [b7c661] systemd: start after local filesystem is available diff --git a/debian/control b/debian/control index 7aec52b..65e69af 100644 --- a/debian/control +++ b/debian/control @@ -5,8 +5,8 @@ Maintainer: Jonathan Wiltshire <j...@debian.org> Uploaders: Andreas Rütten <andreasruet...@gmx.de> Build-Depends: debhelper (>= 7.0.50~), dh-systemd, po-debconf Standards-Version: 3.9.5 -Vcs-Browser: http://robin.powdarrmonkey.net/gitweb/p=iptables-persistent -Vcs-Git: git://robin.powdarrmonkey.net/git/iptables-persistent/ +Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/ +Vcs-Git: git://anonscm.debian.org/collab-maint/iptables-persistent.git Package: netfilter-persistent Architecture: all diff --git a/debian/netfilter-persistent.docs b/debian/netfilter-persistent.docs new file mode 100644 index 0000000..df6f1f3 --- /dev/null +++ b/debian/netfilter-persistent.docs @@ -0,0 +1 @@ +debian/README diff --git a/plugins/15-ip4tables b/plugins/15-ip4tables index 578b237..d4cd740 100755 --- a/plugins/15-ip4tables +++ b/plugins/15-ip4tables @@ -35,6 +35,8 @@ save_rules() if [ ! -f /proc/net/ip_tables_names ]; then echo "Warning: skipping IPv4 (no modules loaded)" elif [ -x /sbin/iptables-save ]; then + touch /etc/iptables/rules.v4 + chmod 0640 /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4 if [ $? -ne 0 ]; then rc=1 diff --git a/plugins/25-ip6tables b/plugins/25-ip6tables index c8ca475..6dc8bff 100755 --- a/plugins/25-ip6tables +++ b/plugins/25-ip6tables @@ -35,6 +35,8 @@ save_rules() if [ ! -f /proc/net/ip6_tables_names ]; then log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)" elif [ -x /sbin/ip6tables-save ]; then + touch /etc/iptables/rules.v6 + chmod 0640 /etc/iptables/rules.v6 ip6tables-save > /etc/iptables/rules.v6 if [ $? -ne 0 ]; then rc=1
