Hey! It'd be nice to have an option to use `ip[6]tables --noflush` so that existing rules aren't flushed on start/load.
Debdiff attached. I'll try and submit a proper git-based merge once account on Salsa is made available. For now, just keeping the changes here too. This also fixes a couple bugs in `plugins/25-ip6tables`. Thanks! Mauricio Before: --- Add transient rules for 1.1.1.1: # iptables -A INPUT -p icmp -s 1.1.1.1 -j DROP # ip6tables -A INPUT -p icmp -s 2606:4700:4700::1111 -j DROP # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 1.1.1.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # ip6tables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp 2606:4700:4700::1111 ::/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Load configured rules for 1.0.0.1: # grep -H ^ /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/iptables/rules.v4:# Generated by iptables-save v1.8.7 on Wed Nov 3 20:43:56 2021 /etc/iptables/rules.v4:*filter /etc/iptables/rules.v4::INPUT ACCEPT [0:0] /etc/iptables/rules.v4::FORWARD ACCEPT [0:0] /etc/iptables/rules.v4::OUTPUT ACCEPT [0:0] /etc/iptables/rules.v4:-A INPUT -s 1.0.0.1/32 -p icmp -j DROP /etc/iptables/rules.v4:COMMIT /etc/iptables/rules.v4:# Completed on Wed Nov 3 20:43:56 2021 /etc/iptables/rules.v6:# Generated by ip6tables-save v1.8.7 on Wed Nov 3 20:43:56 2021 /etc/iptables/rules.v6:*filter /etc/iptables/rules.v6::INPUT ACCEPT [0:0] /etc/iptables/rules.v6::FORWARD ACCEPT [0:0] /etc/iptables/rules.v6::OUTPUT ACCEPT [0:0] /etc/iptables/rules.v6:-A INPUT -s 2606:4700:4700::1001/128 -p icmp -j DROP /etc/iptables/rules.v6:COMMIT /etc/iptables/rules.v6:# Completed on Wed Nov 3 20:43:56 2021 # netfilter-persistent start run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start The existing rules for 1.1.1.1 have been flushed: # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 1.0.0.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # ip6tables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp 2606:4700:4700::1001 ::/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination After: --- Start over, the same thing happens by default (i.e., no behavior changes.) Then repeat with with these new config options enabled: # tail -n4 /etc/default/netfilter-persistent # Set to yes for not flushing existing ip[6]tables rules when netfilter-persistent # is called with the start parameter IPTABLES_RESTORE_NOFLUSH=yes IP6TABLES_RESTORE_NOFLUSH=yes # netfilter-persistent start run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start The existing rules for 1.1.1.1 are still there: # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 1.1.1.1 0.0.0.0/0 DROP icmp -- 1.0.0.1 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # ip6tables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp 2606:4700:4700::1111 ::/0 DROP icmp 2606:4700:4700::1001 ::/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -- Mauricio Faria de Oliveira
bug998416.debdiff
Description: Binary data
