Package: iptables-persistent
Version: 1.0.3
Despite configuring a system not to use ipv6, the script
from iptables-persistent fails to complete properly and
save just the ipv4 rules. There are a couple problems:
(1) Tries to load ipv6 module load in ../plugins.d/25-ip6tables
while the script runs under "set -e" but some systems will
have e.g. "install ip6table_filter /bin/true" in modprobe.conf
and the modprobe will fail. save_rules() correctly tests for
/proc/net/ip6_tables_names to skip but won't even get that
far due to "set -e" as in:
$ sudo bash -x 25-ip6tables save || echo failed
+ set -e
+ rc=0
+ case "$1" in
+ save_rules
+ /sbin/modprobe -q ip6table_filter
failed
(2) Even if we allow the modules to install, we still have issue
because of ipv6.disable=1 on /proc/cmdline, e.g.:
$ sudo bash -x 25-ip6tables save || echo failed
+ set -e
+ rc=0
+ case "$1" in
+ save_rules
+ /sbin/modprobe -q ip6table_filter
+ '[' '!' -f /proc/net/ip6_tables_names ']'
+ '[' -x /sbin/ip6tables-save ']'
+ ip6tables-save
ip6tables-save v1.4.21: Cannot initialize: Address family not
supported by protocol
failed
(and for completeness, in case it's relevant:)
$ sudo debconf-show iptables-persistent
* iptables-persistent/autosave_v6: false
* iptables-persistent/autosave_v4: true
Since the running kernel lacking v6 means save/load failure is
not an error that iptables-persist needs to notify the user about
(he likely knows already that ipv6 is disabled completely in kernel),
I would suggest not even warning about this, and just skip, e.g.:
test -e /proc/sys/net/ipv6 || { true; exit; }
as first line of 25-ip6tables script (prior to "set -e").
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
