Bug#963012: iptables-persistent: forces use of iptables-legacy modules

Thorsten Glaser Wed, 17 Jun 2020 09:45:17 -0700

Package: iptables-persistent
Version: 1.0.11
Severity: important

root@jens:~# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
# Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see 
them


There are no legacy tables present, though:

root@jens:~# iptables -nvL
Chain INPUT (policy ACCEPT 4768 packets, 551K bytes)
 pkts bytes target     prot opt in     out     source               destination
[…]
 1580 96616 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@jens:~# iptables-legacy -nvL
Chain INPUT (policy ACCEPT 586 packets, 39772 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain FORWARD (policy ACCEPT 10 packets, 760 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain OUTPUT (policy ACCEPT 387 packets, 124K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        


The warning comes because the legacy kernel modules are loaded.
Calling iptables-legacy will auto-load them, so we blacklist them…

root@jens:~# cat /etc/modprobe.d/iptables-legacy.conf 
blacklist arptable_filter
blacklist ebtable_broute
blacklist ebtable_filter
blacklist ebtable_nat
blacklist ip6table_filter
blacklist ip6table_mangle
blacklist ip6table_nat
blacklist ip6table_raw
blacklist ip6table_security
blacklist iptable_filter
blacklist iptable_mangle
blacklist iptable_nat
blacklist iptable_raw
blacklist iptable_security

… but then it errors out like this:

root@jens:~# netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
Warning: skipping IPv4 (Kernel support is missing)
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
/usr/share/netfilter-persistent/plugins.d/25-ip6tables: 36: 
/usr/share/netfilter-persistent/plugins.d/25-ip6tables: log_action_cont_msg: 
not found
run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with 
return code 127

This is two errors in one (but the log_action_cont_msg bug
is already reported elsewhere so I’ll concentrate on the
15-ip4tables one (which probably also affects 25-ip6tables
though).

The code in question:
        save_rules()
        {
                #save IPv4 rules
                #need at least iptable_filter loaded:
                modprobe -b -q iptable_filter || true
                if [ ! -f /proc/net/ip_tables_names ]; then
                        echo "Warning: skipping IPv4 (Kernel support is 
missing)"

This is doubly wrong. The iptable_filter module and
*especially* /proc/net/ip_tables_names are used ONLY
by iptables-legacy; see the following for details:
https://bugzilla.redhat.com/show_bug.cgi?id=1668007

Effectively, iptables-persistent in buster forces
the use of iptables-legacy ONLY.

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set 
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default 
locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables-persistent depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  iptables               1.8.2-4
ii  netfilter-persistent   1.0.11

iptables-persistent recommends no packages.

iptables-persistent suggests no packages.

-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LC_CTYPE = "C.UTF-8",
        LC_MESSAGES = "en_GB.utf8",
        LC_MEASUREMENT = "en_GB.utf8",
        LC_PAPER = "en_GB.utf8",
        LANG = "de_DE.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("de_DE.UTF-8").
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
  iptables-persistent/autosave_v6: true
  iptables-persistent/autosave_v4: true

Bug#963012: iptables-persistent: forces use of iptables-legacy modules

Reply via email to