iptables-persistent

save action from init script fails when ipv6 disabled

Bug #1643738 reported by Scott Mcdermott
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables-persistent
New
Undecided
Unassigned

Bug Description

Filed this bug originally at:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780738

but no attention, comment or acknowledgement from maintainer
in over 1.5 years; presumably this is an abandoned package
upstream. Simple one-line fix (mentioned at bottom) suggested
to maintainer, who appears to ignore the bug report.

Hopefully Ubuntu can maintain the one-line fix in their
downstream version. It does affect 16.04.

reproduce:

   - boot kernel with ipv6.disable=1
   - invoke-rc.d netfilter-persistent save

 * Saving netfilter rules...
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
ip6tables-save v1.6.0: Cannot initialize: Address family not supported by protocol

run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
   ...fail!

Original bug report below.

<snip>

Despite configuring a system not to use ipv6, the script
from iptables-persistent fails to complete properly and
save just the ipv4 rules. There are a couple problems:

  (1) Tries to load ipv6 module load in ../plugins.d/25-ip6tables
while the script runs under "set -e" but some systems will
have e.g. "install ip6table_filter /bin/true" in modprobe.conf
and the modprobe will fail. save_rules() correctly tests for
/proc/net/ip6_tables_names to skip but won't even get that
far due to "set -e" as in:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    failed

  (2) Even if we allow the modules to install, we still have issue
because of ipv6.disable=1 on /proc/cmdline, e.g.:

    $ sudo bash -x 25-ip6tables save || echo failed
    + set -e
    + rc=0
    + case "$1" in
    + save_rules
    + /sbin/modprobe -q ip6table_filter
    + '[' '!' -f /proc/net/ip6_tables_names ']'
    + '[' -x /sbin/ip6tables-save ']'
    + ip6tables-save
    ip6tables-save v1.4.21: Cannot initialize: Address family not
supported by protocol
    failed

(and for completeness, in case it's relevant:)

    $ sudo debconf-show iptables-persistent
    * iptables-persistent/autosave_v6: false
    * iptables-persistent/autosave_v4: true

Since the running kernel lacking v6 means save/load failure is
not an error that iptables-persist needs to notify the user about
(he likely knows already that ipv6 is disabled completely in kernel),
I would suggest not even warning about this, and just skip, e.g.:

    test -e /proc/sys/net/ipv6 || { true; exit; }

as first line of 25-ip6tables script (prior to "set -e").

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.