save action from init script fails when ipv6 disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables-persistent |
New
|
Undecided
|
Unassigned |
Bug Description
Filed this bug originally at:
https:/
but no attention, comment or acknowledgement from maintainer
in over 1.5 years; presumably this is an abandoned package
upstream. Simple one-line fix (mentioned at bottom) suggested
to maintainer, who appears to ignore the bug report.
Hopefully Ubuntu can maintain the one-line fix in their
downstream version. It does affect 16.04.
reproduce:
- boot kernel with ipv6.disable=1
- invoke-rc.d netfilter-
* Saving netfilter rules...
run-parts: executing /usr/share/
run-parts: executing /usr/share/
ip6tables-save v1.6.0: Cannot initialize: Address family not supported by protocol
run-parts: /usr/share/
...fail!
Original bug report below.
<snip>
Despite configuring a system not to use ipv6, the script
from iptables-persistent fails to complete properly and
save just the ipv4 rules. There are a couple problems:
(1) Tries to load ipv6 module load in ../plugins.
while the script runs under "set -e" but some systems will
have e.g. "install ip6table_filter /bin/true" in modprobe.conf
and the modprobe will fail. save_rules() correctly tests for
/proc/net/
far due to "set -e" as in:
$ sudo bash -x 25-ip6tables save || echo failed
+ set -e
+ rc=0
+ case "$1" in
+ save_rules
+ /sbin/modprobe -q ip6table_filter
failed
(2) Even if we allow the modules to install, we still have issue
because of ipv6.disable=1 on /proc/cmdline, e.g.:
$ sudo bash -x 25-ip6tables save || echo failed
+ set -e
+ rc=0
+ case "$1" in
+ save_rules
+ /sbin/modprobe -q ip6table_filter
+ '[' '!' -f /proc/net/
+ '[' -x /sbin/ip6tables
+ ip6tables-save
ip6tables-save v1.4.21: Cannot initialize: Address family not
supported by protocol
failed
(and for completeness, in case it's relevant:)
$ sudo debconf-show iptables-persistent
* iptables-
* iptables-
Since the running kernel lacking v6 means save/load failure is
not an error that iptables-persist needs to notify the user about
(he likely knows already that ipv6 is disabled completely in kernel),
I would suggest not even warning about this, and just skip, e.g.:
test -e /proc/sys/net/ipv6 || { true; exit; }
as first line of 25-ip6tables script (prior to "set -e").