Hi
On Tue, Jun 30, 2020 at 05:22:50PM +0100, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Sun, 2020-06-21 at 22:19 +0200, gustavo panizzo wrote:
I'd like to fix the bugs #961589 and #963012 in Buster uploading
That sounds like it would probably be OK, however:
iptables-persistent 1.0.14 which is already in testing and backports.
I'm not sold on this as a solution currently.
The updated package has been part of backports since Oct 2019 without
report of problems, I personally use it on all systems I administer
without problems.
Unfortunately, while useful input as to the stability of the changes,
none of that directly makes it suitable for a stable update.
Besides fixing this 2 bugs this version changes the way iptables
rules are flush (to be better IMHO),allows to toggle the rule saving
for individual components (iptables, ip6tables and ipset) without
changing the defaults and setups the iptables, ip6tables and ipset
services in systemd using alternatives (See #926927)
What actual issues are these fixing for users of the current package in
stable? "Better" isn't very descriptive. :)
There are no reported bugs against the old mechanism in used to flush rules
However the old mechanism only sets the policy (to ACCEPT) in INPUT, OUTPUT and
FORWARD chains in the filter (default) table [1]
Policy on other tables are left intact, but rules are flushed
The result of this is that the flush mechanism doesn't flush all rules when
iptables-nft are in use and potentially locks down the machine when
iptables-legacy is in use
(tests executed on a clean, disposable machines)
iptables-persistent 1.0.11, iptables-nft
```
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables --version
iptables v1.8.2 (nf_tables)
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -A OUTPUT -j ACCEPT
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -P OUTPUT DROP
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables
flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables
flush
Warning: skipping IPv6 (Kernel support is missing)
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
37 4588 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
```
iptables-persistent 1.0.11, iptables-legacy
```
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables --version
iptables v1.8.2 (legacy)
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -A OUTPUT -j ACCEPT
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# iptables -t raw -P OUTPUT DROP
root@582b56c2-64ea-4ba4-87f2-a314502ef3a4:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables
flush
Timeout, server localhost not responding.
```
iptables-persistent 1.0.14, iptables-nft
```
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables --version
iptables v1.8.2 (nf_tables)
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -A OUTPUT -j ACCEPT
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -P OUTPUT DROP
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables
flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables
flush
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 16 packets, 964 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 1012 bytes)
pkts bytes target prot opt in out source destination
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~#
```
iptables-persistent 1.0.14, iptables-legacy
```
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables --version
iptables v1.8.2 (legacy)
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -A OUTPUT -j ACCEPT
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -P OUTPUT DROP
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# netfilter-persistent flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables
flush
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables
flush
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~# iptables -t raw -vL -n
Chain PREROUTING (policy ACCEPT 18 packets, 1064 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1168 bytes)
pkts bytes target prot opt in out source destination
root@8befc9a8-c89d-4626-a7a3-77d61680b6e8:~#
```
From looking over the diff:
1) the whitespace unification makes it quite hard to find some of the
real changes
ACK
2) debhelper compat changes and the dh-exec migration aren't really
"minimal changes required to resolve the issue", and generally wouldn't
be appropriate for a change in stable
ACK
3) Does this hunk:
--- iptables-persistent-1.0.11/debian/ipset-persistent.prerm 1970-01-01
01:00:00.000000000 +0100
+++ iptables-persistent-1.0.14+deb10u1/debian/ipset-persistent.prerm
2020-06-21 21:12:04.000000000 +0200
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Remove alternatives
+update-alternatives --remove-all ipset.service
Do exactly what it suggests and remove any alternative using that name,
whether or not it was installed by this package? Again, how does this
benefit users of the package in stable, given that nothing else is
providing or using the alternatives?
It does not benefit them (I don't think it harms them either unless they
have a local alternative setup; then I got your point)
As a side note:
+ * Rebuild for buster-updates.
Even if this gets to proposed-updates, and subsequently buster, buster-
updates is an additional suite that this request definitely does need
meet the requirements for.
ACK
Would you accept an upload fixing #961589 [2], #963012 [3], changing
the flush mechanism [4] and allowing granular configuration of the save
action [5]?
thanks!
Regards,
Adam
[1] -
https://salsa.debian.org/debian/iptables-persistent/-/blob/debian/1.0.11/plugins/15-ip4tables#L46
[2] -
https://salsa.debian.org/debian/iptables-persistent/-/commit/401a9f1e003a6077805eec1902f9dd394ffebd34
[3] - calls to log_action_cont_msg() where removed in the same commit as above
[4] -
https://salsa.debian.org/debian/iptables-persistent/-/commit/9339383b737cbba3c030c90d4ab796c20141b44c
[5] -
https://salsa.debian.org/debian/iptables-persistent/-/commit/d5726cd710514185f09d698f458cff773ea8e32a
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
