Package: iptables-persistent
Version: 1.0.3

Despite configuring a system not to use ipv6, the script
from iptables-persistent fails to complete properly and
save just the ipv4 rules.  There are a couple problems:

  (1) Tries to load ipv6 module load in ../plugins.d/25-ip6tables
while the script runs under "set -e" but some systems will
have e.g. "install ip6table_filter /bin/true" in modprobe.conf
and the modprobe will fail.  save_rules() correctly tests for
/proc/net/ip6_tables_names to skip but won't even get that
far due to "set -e" as in:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    failed

  (2) Even if we allow the modules to install, we still have issue
because of ipv6.disable=1 on /proc/cmdline, e.g.:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    + '[' '!' -f /proc/net/ip6_tables_names ']'
    + '[' -x /sbin/ip6tables-save ']'
    + ip6tables-save
    ip6tables-save v1.4.21: Cannot initialize: Address family not
supported by protocol
    failed

(and for completeness, in case it's relevant:)

    $ sudo debconf-show iptables-persistent
    * iptables-persistent/autosave_v6: false
    * iptables-persistent/autosave_v4: true

Since the running kernel lacking v6 means save/load failure is
not an error that iptables-persist needs to notify the user about
(he likely knows already that ipv6 is disabled completely in kernel),
I would suggest not even warning about this, and just skip, e.g.:

    test -e /proc/sys/net/ipv6 || { true; exit; }

as first line of 25-ip6tables script (prior to "set -e").


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to