Bug#1121939: firehol doesn't start after upgrade to trixie (diff)

Jerome BENOIT Sun, 07 Dec 2025 08:39:22 -0800


Hello,
On 07/12/2025 01:17, Edmund H. Ramm wrote:

Cher ami Benoit,

    this is what I find on my machine:

/root # ls -alF /usr/sbin/iptables*
lrwxrwxrwx 1 root root   26 Dec  4  2020 /usr/sbin/iptables -> 
/etc/alternatives/iptables*
-rwxr-xr-x 1 root root 7052 Aug 12  2023 /usr/sbin/iptables-apply*
lrwxrwxrwx 1 root root   20 Nov 20  2024 /usr/sbin/iptables-legacy -> 
xtables-legacy-multi*
lrwxrwxrwx 1 root root   20 Nov 20  2024 /usr/sbin/iptables-legacy-restore -> 
xtables-legacy-multi*
lrwxrwxrwx 1 root root   20 Nov 20  2024 /usr/sbin/iptables-legacy-save -> 
xtables-legacy-multi*
lrwxrwxrwx 1 root root   17 Nov 20  2024 /usr/sbin/iptables-nft -> 
xtables-nft-multi*
lrwxrwxrwx 1 root root   17 Nov 20  2024 /usr/sbin/iptables-nft-restore -> 
xtables-nft-multi*
lrwxrwxrwx 1 root root   17 Nov 20  2024 /usr/sbin/iptables-nft-save -> 
xtables-nft-multi*
lrwxrwxrwx 1 root root   34 Dec  4  2020 /usr/sbin/iptables-restore -> 
/etc/alternatives/iptables-restore*
lrwxrwxrwx 1 root root   17 Nov 20  2024 /usr/sbin/iptables-restore-translate 
-> xtables-nft-multi*
lrwxrwxrwx 1 root root   31 Dec  4  2020 /usr/sbin/iptables-save -> 
/etc/alternatives/iptables-save*
lrwxrwxrwx 1 root root   17 Nov 20  2024 /usr/sbin/iptables-translate -> 
xtables-nft-multi*

    i.e. the iptables-commands which work fine with firehol are four years
older than the "legacy" variants.

Can you send a diff(1) file of your changes ?


/usr/libexec/firehol/firehol:
263,266d262
< IPTABLES_CMD=/usr/sbin/iptables
< IPTABLES_SAVE_CMD=/usr/sbin/iptables-save
< IPTABLES_RESTORE_CMD=/usr/sbin/iptables-restore
<

    I inserted the above right at the start of the "GLOBAL" section.


Very bad idea because those changes may not be backup and they may disappear at 
the next upgragd.

The variables are actually set in /usr/lib/firehol/install.config .

They are set via a which . This choice allows to over come the programmed 
disapereance of the /sbin folder in favour of the /usr/sbin/folder .
Whatever. Here is the concerned lines.

IPTABLES_CMD="`which iptables-legacy`"
IPTABLES_RESTORE_CMD="`which iptables-legacy-restore`"
IPTABLES_SAVE_CMD="`which iptables-legacy-save`"


The iptables-legacy[,-restore,-save] are links to xtables-legacy-multi on my 
bookworm box and in Sid.
On the other hand, the iptables[,-restore,-save] are alternative (see 
update-alternatives(1)).


The Firehol suite works only with the legacy stuff.

At this stage, I suspect some messup on your side (I know by experience it can 
happen very quickly).
In particular your xtables-legacy-multi seems to be a link
(as suggests the star attached to it in you output of " ls -alF /usr/sbin/iptables* 
").

Can you double check that your iptables-legacy[,-restore,-save] are the really 
the expected one ?

Cheers, Jerome

PS: please let keep sharing the issue on bugs.debian.org .

    Yours sincerely,

    Eddi ._._.


--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/[email protected]
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B

OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1121939: firehol doesn't start after upgrade to trixie (diff)

Reply via email to