Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hi On Mon, Dec 17, 2018 at 10:01:10PM +0100, Nico Haase wrote: Hi Gustavo, I'm sorry, but I still don't get it completely. Am 16.12.2018 um 02:31 schrieb gustavo panizzo: Is not a parsing problem, the CHAINs do not exists. You need to check your setup. Check where the ip6*tables* symlinks points to and make it consistent. ip6tables-save points to /usr/sbin/ip6tables-nft-save, the version string is ip6tables-save v1.8.2 (nf_tables). ip6tables-restore points to /usr/sbin/ip6tables-nft-restore, which is of the same version v1.8.2. I've never touched these symlinks on my own. Also remove the legacy rules before applying new rules. if ip{,6}tables-save and ip{,6}tables-restore dont work in your system, netfilter-persistent won't work either (is just a wrapper around them to start the firewall at boot time) Yeah, and that is still my point of asking here: how can it be possible that dumping the rules and importing with tools from the same package with the same version throws an error? Shouldn't the process to write the rules generate a file that is sound and can be restored? as an iptables user i know the process to save and restore is sound, but the runtime environment (ipsets, dns resolution, kernel modules) may not be the same when rules are saved and restored, making the restore to fail. This doesn't sound like your case (you are saving and loading the rules right after) but is worth mentioning. Is it possible that there are incompatibilities with other parts? For example, I'm running the kernel version 4.4.134. I can reproduce your issues with a 4.4 kernel, but not with 4.1[8-9] kernel. root@testing-vm:~# ip6tables-restore < /etc/iptables/rules.v6 ip6tables-restore v1.8.2 (nf_tables): line 3: CHAIN_UPDATE failed (No such file or directory): chain PREROUTING line 4: CHAIN_UPDATE failed (No such file or directory): chain INPUT line 5: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT line 6: CHAIN_UPDATE failed (No such file or directory): chain POSTROUTING root@testing-vm:~# cat /etc/iptables/rules.v6 # Generated by ip6tables-save v1.6.2 on Wed Oct 24 06:16:46 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed Oct 24 06:16:46 2018 # Generated by ip6tables-save v1.6.2 on Wed Oct 24 06:16:46 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Oct 24 06:16:46 2018 root@testing-vm:~# uname -a
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hi Gustavo, I'm sorry, but I still don't get it completely. Am 16.12.2018 um 02:31 schrieb gustavo panizzo: Is not a parsing problem, the CHAINs do not exists. You need to check your setup. Check where the ip6*tables* symlinks points to and make it consistent. ip6tables-save points to /usr/sbin/ip6tables-nft-save, the version string is ip6tables-save v1.8.2 (nf_tables). ip6tables-restore points to /usr/sbin/ip6tables-nft-restore, which is of the same version v1.8.2. I've never touched these symlinks on my own. Also remove the legacy rules before applying new rules. if ip{,6}tables-save and ip{,6}tables-restore dont work in your system, netfilter-persistent won't work either (is just a wrapper around them to start the firewall at boot time) Yeah, and that is still my point of asking here: how can it be possible that dumping the rules and importing with tools from the same package with the same version throws an error? Shouldn't the process to write the rules generate a file that is sound and can be restored? Is it possible that there are incompatibilities with other parts? For example, I'm running the kernel version 4.4.134. I'm sorry to keep asking questions rather than providing a solution on my own, but I'm not that experienced with iptables. I've seen it throwing an error during an update and this looks like a bug to me. I'd be very happy if you could guide me to the neccessary steps of providing more information to inspect this. Regards Nico
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hello On Mon, Dec 10, 2018 at 06:46:11PM +0100, Nico Haase wrote: Hi there, I wanted to check if there are some news. Through removing the saved rules files, the update has succeeded. But still, I think that this is not solved: after the update went through, I've tried to dump the rules through the following command: ip6tables-save > /etc/iptables/rules.v6 This created the following dump: # Generated by xtables-save v1.8.2 on Mon Dec 10 18:40:39 2018 *filter :OUTPUT ACCEPT [64:15232] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [64:15232] COMMIT # Completed on Mon Dec 10 18:40:39 2018 Afterwards, I tried to restore the rules that I've just dumped, and that threw the same message as before: ip6tables-restore v1.8.2 (nf_tables): line 3: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT line 4: CHAIN_UPDATE failed (No such file or directory): chain FORWARD line 5: CHAIN_UPDATE failed (No such file or directory): chain INPUT I understand that there might be some things that could work in another way due to a legacy version, but still: how could saving the rules with the current version result in a file that the current version cannot parse? Is not a parsing problem, the CHAINs do not exists. You need to check your setup. Check where the ip6*tables* symlinks points to and make it consistent. Also remove the legacy rules before applying new rules. if ip{,6}tables-save and ip{,6}tables-restore dont work in your system, netfilter-persistent won't work either (is just a wrapper around them to start the firewall at boot time) -- IRC: gfa GPG: 0X44BB1BA79F6C6333
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hi there, I wanted to check if there are some news. Through removing the saved rules files, the update has succeeded. But still, I think that this is not solved: after the update went through, I've tried to dump the rules through the following command: ip6tables-save > /etc/iptables/rules.v6 This created the following dump: # Generated by xtables-save v1.8.2 on Mon Dec 10 18:40:39 2018 *filter :OUTPUT ACCEPT [64:15232] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [64:15232] COMMIT # Completed on Mon Dec 10 18:40:39 2018 Afterwards, I tried to restore the rules that I've just dumped, and that threw the same message as before: ip6tables-restore v1.8.2 (nf_tables): line 3: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT line 4: CHAIN_UPDATE failed (No such file or directory): chain FORWARD line 5: CHAIN_UPDATE failed (No such file or directory): chain INPUT I understand that there might be some things that could work in another way due to a legacy version, but still: how could saving the rules with the current version result in a file that the current version cannot parse? Regards Nico
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hi Gustavo, thanks for your answer so far! Am 02.12.2018 um 04:45 schrieb gustavo panizzo: Hello On Sat, Dec 01, 2018 at 04:27:19PM +0100, Nico Haase wrote: Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start Nov 29 06:42:10 host netfilter-persistent[24163]: ip6tables-restore v1.8.2 (nf_tables): Nov 29 06:42:10 host netfilter-persistent[24163]: line 3: CHAIN_UPDATE failed (No such file or directory): chain PREROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: line 4: CHAIN_UPDATE failed (No such file or directory): chain INPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 5: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 6: CHAIN_UPDATE failed (No such file or directory): chain POSTROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 4 ip6tables-restore fails to load your ip6 rules, /etc/iptables/rules.v6 It looks to me looking at the error that you are mixing iptables and nftables, in iptables world PREROUTING/INPUT/OUTPUT/POSTROUTING tables *always* exist show me the output of # systemctl status nftables That displays: Unit nftables.service could not be found. # nft list tables That displays: command not found # ip6tables-restore < /etc/iptables/rules.v6 As you already mentioned, this prints the same message as above. And that is the current content of rules.v6, which I've never edited manually: # Generated by ip6tables-save v1.6.2 on Wed Oct 24 06:16:46 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed Oct 24 06:16:46 2018 # Generated by ip6tables-save v1.6.2 on Wed Oct 24 06:16:46 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Oct 24 06:16:46 2018 Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'. Nov 29 06:42:10 host systemd[1]: Failed to start netfilter persistent configuration. What can I do to make this work? Is it a configuration problem on my server, or a bug in the package? I think you are mixing nftables and iptables-legacy, please read /usr/share/doc/iptables/README.Debian That might be the case, but I don't have a clue why only the latest update throws such an error. Up to this version, there were no errors or warnings mentioned; and if there is a larger incompatibility between installed packages and new updates, I think there should be a more clear message logged. As these rules were dumped there automatically and the file was not edited by hand, what can I do to make this work again? Regards Nico
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Hello On Sat, Dec 01, 2018 at 04:27:19PM +0100, Nico Haase wrote: Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start Nov 29 06:42:10 host netfilter-persistent[24163]: ip6tables-restore v1.8.2 (nf_tables): Nov 29 06:42:10 host netfilter-persistent[24163]: line 3: CHAIN_UPDATE failed (No such file or directory): chain PREROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: line 4: CHAIN_UPDATE failed (No such file or directory): chain INPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 5: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 6: CHAIN_UPDATE failed (No such file or directory): chain POSTROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 4 ip6tables-restore fails to load your ip6 rules, /etc/iptables/rules.v6 It looks to me looking at the error that you are mixing iptables and nftables, in iptables world PREROUTING/INPUT/OUTPUT/POSTROUTING tables *always* exist show me the output of # systemctl status nftables # nft list tables # ip6tables-restore < /etc/iptables/rules.v6 Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'. Nov 29 06:42:10 host systemd[1]: Failed to start netfilter persistent configuration. What can I do to make this work? Is it a configuration problem on my server, or a bug in the package? I think you are mixing nftables and iptables-legacy, please read /usr/share/doc/iptables/README.Debian -- IRC: gfa GPG: 0X44BB1BA79F6C6333
Bug#915187: netfilter-persistent: Updating netfilter-persistent results in error
Package: netfilter-persistent Version: 1.0.10 Severity: normal Dear Maintainer, unattended-upgrades performed an update from 1.0.9 to 1.0.10 some days ago. Since then, this upgrade is triggered on each run, as it won't finish. The following error is given: Job for netfilter-persistent.service failed because the control process exited with error code. See "systemctl status netfilter-persistent.service" and "journalctl -xe" for details. invoke-rc.d: initscript netfilter-persistent, action "restart" failed. ● netfilter-persistent.service - netfilter persistent configuration Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2018-11-29 06:42:10 CET; 5ms ago Process: 24163 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE) Main PID: 24163 (code=exited, status=1/FAILURE) Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start Nov 29 06:42:10 host netfilter-persistent[24163]: ip6tables-restore v1.8.2 (nf_tables): Nov 29 06:42:10 host netfilter-persistent[24163]: line 3: CHAIN_UPDATE failed (No such file or directory): chain PREROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: line 4: CHAIN_UPDATE failed (No such file or directory): chain INPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 5: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT Nov 29 06:42:10 host netfilter-persistent[24163]: line 6: CHAIN_UPDATE failed (No such file or directory): chain POSTROUTING Nov 29 06:42:10 host netfilter-persistent[24163]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 4 Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE Nov 29 06:42:10 host systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'. Nov 29 06:42:10 host systemd[1]: Failed to start netfilter persistent configuration. What can I do to make this work? Is it a configuration problem on my server, or a bug in the package? Regards Nico -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (700, 'testing'), (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.4.134-1-pve (SMP w/12 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages netfilter-persistent depends on: ii lsb-base 9.20170808 netfilter-persistent recommends no packages. Versions of packages netfilter-persistent suggests: iu iptables-persistent 1.0.10 -- no debconf information