Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1022231: iptables-persistent: Pre-existing /etc/iptables/rules.v4 is overriten when installing
16 views
Skip to first unread message
Christian Buhtz
Oct 22, 2022, 7:20:04 AM10/22/22
to
Package: iptables-persistent
Severity: normal
I had an existing /etc/iptables/rules.v4 file on my system.
In the next step I installed "iptables-persistent" and said yes to both
questions about saving current existing rules.
Then the file and my rules in it where gone.
That shouldn't happen.
When you want to touch that file that add content to it but not overwrite it.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-18-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables-persistent depends on:
ii debconf [debconf-2.0] 1.5.77
ii iptables 1.8.7-1
pn netfilter-persistent <none>
Severity: normal
I had an existing /etc/iptables/rules.v4 file on my system.
In the next step I installed "iptables-persistent" and said yes to both
questions about saving current existing rules.
Then the file and my rules in it where gone.
That shouldn't happen.
When you want to touch that file that add content to it but not overwrite it.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-18-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables-persistent depends on:
ii debconf [debconf-2.0] 1.5.77
ii iptables 1.8.7-1
pn netfilter-persistent <none>
gustavo panizzo
Oct 22, 2022, 10:30:03 AM10/22/22
to
Hello
On Sat, Oct 22, 2022 at 11:11:41AM +0000, Christian Buhtz wrote:
>Package: iptables-persistent
>Severity: normal
>
>I had an existing /etc/iptables/rules.v4 file on my system.
>In the next step I installed "iptables-persistent" and said yes to both
>questions about saving current existing rules.
>
if you ask the package to save the rules it will save them, it is the
expected behaviour
>Then the file and my rules in it where gone.
>That shouldn't happen.
If you want your previous saved rules to be kept, just don't save the
current ruleset
>
>When you want to touch that file that add content to it but not overwrite it.
>
No, I don't want to add content; I want to "atomically" save the current
ruleset, if content is added on top of the previously saved ruleset I
don't know what the result can be.
iptables rules are order dependent so just appending them will not work
as desired most of the time.
>
>-- System Information:
>Debian Release: 11.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
>'stable')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 5.10.0-18-amd64 (SMP w/4 CPU threads)
>Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
>Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not
>set
>Shell: /bin/sh linked to /bin/dash
>Init: systemd (via /run/systemd/system)
>LSM: AppArmor: enabled
>
>Versions of packages iptables-persistent depends on:
>ii debconf [debconf-2.0] 1.5.77
>ii iptables 1.8.7-1
>pn netfilter-persistent <none>
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
On Sat, Oct 22, 2022 at 11:11:41AM +0000, Christian Buhtz wrote:
>Package: iptables-persistent
>Severity: normal
>
>I had an existing /etc/iptables/rules.v4 file on my system.
>In the next step I installed "iptables-persistent" and said yes to both
>questions about saving current existing rules.
>
expected behaviour
>Then the file and my rules in it where gone.
>That shouldn't happen.
current ruleset
>
>When you want to touch that file that add content to it but not overwrite it.
>
ruleset, if content is added on top of the previously saved ruleset I
don't know what the result can be.
iptables rules are order dependent so just appending them will not work
as desired most of the time.
>
>-- System Information:
>Debian Release: 11.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
>'stable')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 5.10.0-18-amd64 (SMP w/4 CPU threads)
>Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
>Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not
>set
>Shell: /bin/sh linked to /bin/dash
>Init: systemd (via /run/systemd/system)
>LSM: AppArmor: enabled
>
>Versions of packages iptables-persistent depends on:
>ii debconf [debconf-2.0] 1.5.77
>ii iptables 1.8.7-1
>pn netfilter-persistent <none>
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
c.b...@posteo.jp
Oct 22, 2022, 2:40:03 PM10/22/22
to
But silently overriding isn't a solution.
> if you ask the package to save the rules it will save them, it is the
> expected behaviour
But overriding isn't expected.
Then warn the user about that overriding.
And one other bug is that it tries to "save rules" and ask about that
even if there are not active rules.
> iptables rules are order dependent
I know but the user need to care about it not a package maintainer.
> if you ask the package to save the rules it will save them, it is the
> expected behaviour
Then warn the user about that overriding.
And one other bug is that it tries to "save rules" and ask about that
even if there are not active rules.
> iptables rules are order dependent
0 new messages