Package: iptables-persistent Version: 1.0.3 Despite configuring a system not to use ipv6, the script from iptables-persistent fails to complete properly and save just the ipv4 rules. There are a couple problems:
(1) Tries to load ipv6 module load in ../plugins.d/25-ip6tables while the script runs under "set -e" but some systems will have e.g. "install ip6table_filter /bin/true" in modprobe.conf and the modprobe will fail. save_rules() correctly tests for /proc/net/ip6_tables_names to skip but won't even get that far due to "set -e" as in: $ sudo bash -x 25-ip6tables save || echo failed + set -e + rc=0 + case "$1" in + save_rules + /sbin/modprobe -q ip6table_filter failed (2) Even if we allow the modules to install, we still have issue because of ipv6.disable=1 on /proc/cmdline, e.g.: $ sudo bash -x 25-ip6tables save || echo failed + set -e + rc=0 + case "$1" in + save_rules + /sbin/modprobe -q ip6table_filter + '[' '!' -f /proc/net/ip6_tables_names ']' + '[' -x /sbin/ip6tables-save ']' + ip6tables-save ip6tables-save v1.4.21: Cannot initialize: Address family not supported by protocol failed (and for completeness, in case it's relevant:) $ sudo debconf-show iptables-persistent * iptables-persistent/autosave_v6: false * iptables-persistent/autosave_v4: true Since the running kernel lacking v6 means save/load failure is not an error that iptables-persist needs to notify the user about (he likely knows already that ipv6 is disabled completely in kernel), I would suggest not even warning about this, and just skip, e.g.: test -e /proc/sys/net/ipv6 || { true; exit; } as first line of 25-ip6tables script (prior to "set -e"). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org