save action from init script fails when ipv6 disabled

Bug #1643738 reported by Scott Mcdermott on 2016-11-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables-persistent
Undecided
Unassigned

Bug Description

Filed this bug originally at:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780738

but no attention, comment or acknowledgement from maintainer
in over 1.5 years; presumably this is an abandoned package
upstream. Simple one-line fix (mentioned at bottom) suggested
to maintainer, who appears to ignore the bug report.

Hopefully Ubuntu can maintain the one-line fix in their
downstream version. It does affect 16.04.

reproduce:

   - boot kernel with ipv6.disable=1
   - invoke-rc.d netfilter-persistent save

 * Saving netfilter rules...
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
ip6tables-save v1.6.0: Cannot initialize: Address family not supported by protocol

run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
   ...fail!

Original bug report below.

<snip>

Despite configuring a system not to use ipv6, the script
from iptables-persistent fails to complete properly and
save just the ipv4 rules. There are a couple problems:

  (1) Tries to load ipv6 module load in ../plugins.d/25-ip6tables
while the script runs under "set -e" but some systems will
have e.g. "install ip6table_filter /bin/true" in modprobe.conf
and the modprobe will fail. save_rules() correctly tests for
/proc/net/ip6_tables_names to skip but won't even get that
far due to "set -e" as in:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    failed

  (2) Even if we allow the modules to install, we still have issue
because of ipv6.disable=1 on /proc/cmdline, e.g.:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    + '[' '!' -f /proc/net/ip6_tables_names ']'
    + '[' -x /sbin/ip6tables-save ']'
    + ip6tables-save
    ip6tables-save v1.4.21: Cannot initialize: Address family not
supported by protocol
    failed

(and for completeness, in case it's relevant:)

    $ sudo debconf-show iptables-persistent
    * iptables-persistent/autosave_v6: false
    * iptables-persistent/autosave_v4: true

Since the running kernel lacking v6 means save/load failure is
not an error that iptables-persist needs to notify the user about
(he likely knows already that ipv6 is disabled completely in kernel),
I would suggest not even warning about this, and just skip, e.g.:

    test -e /proc/sys/net/ipv6 || { true; exit; }

as first line of 25-ip6tables script (prior to "set -e").

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers