Debian
iptables-persistent package

iptables-persistent lacks support for ipset

Bug #1405670 reported by Hadmut Danisch
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
iptables-persistent (Debian)
Fix Released
Unknown
iptables-persistent (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi,

ubuntu and it's linux kernel support IPSETs for iptables (see package ipset), but iptables-persistent just stores the iptables itself. Thus, iptables restore is incomplete if ipset was used to define tables.

Since ipset supports save/restore, should be pretty easy to support.

regards

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: iptables-persistent 0.5.7
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: XFCE
Date: Thu Dec 25 19:37:54 2014
InstallationDate: Installed on 2014-08-06 (140 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
PackageArchitecture: all
SourcePackage: iptables-persistent
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Bug Watch Updater (bug-watch-updater)
Changed in iptables-persistent (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iptables-persistent (Ubuntu):
status: New → Confirmed
Revision history for this message
Realgo Sysadmin (sysadm-k) wrote :

Unfortunately, this isn't as easy as it seems. iptables save/restore have very different semantics from ipset save/restore. iptables starts from an empty state and loads the specified rules. ipset on the other hand starts from the *CURRENT* state. At system boot time, this will be empty, so you will need to create ipsets and then populate them. Loading new rules errors out if you try to create a set that exists, destroy a set that either doesn't exist or is referenced by iptables, swap sets with one that doesn't exist, or rename to one that does exist.

The right solution feels like making it like iptables restore where it populates rules and then swaps them into place, or changing semantics so that you have things like "destroy if exists" and have "save" emit that. Or "swap or rename" so that you could populate rules and then put them in place.

My current plan is to make an /etc/ipset.d directory, and have files in there that do the delete or create and ignore them if they already exist. One file for each rule to make a known state, then the file that loads from the known state.

Revision history for this message
Realgo Sysadmin (sysadm-k) wrote :

FYI: Here's what I've ended up doing, and I create files for "00-flush", 2 files that are "01-create-servers.ignore" and "01-create-x-servers.ignore", then a "50-rules" that populates "x-servers" and swaps it to "servers", then destroys x-servers.

Bug Watch Updater (bug-watch-updater)
Changed in iptables-persistent (Debian):
status: New → Incomplete
Revision history for this message
Martin PANEL (mortin) wrote :

A good ipset plugin for netfilter-persistent :
https://github.com/jordanrinke/ipsets-persistent

Revision history for this message
gustavo panizzo (gfa) wrote :

Latest version in Debian has support to save/restore ipsets, please test and report any bugs! thanks

Bug Watch Updater (bug-watch-updater)
Changed in iptables-persistent (Debian):
status: Incomplete → Fix Released
gustavo panizzo (gfa)
Changed in iptables-persistent (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.