Ubuntu
iptables-persistent package

Bug #1949643
Activity log

Activity log for bug #1949643

Date	Who	What changed	Old value	New value	Message
2021-11-03 21:36:44	Mauricio Faria de Oliveira	bug			added bug
2021-11-03 21:36:56	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu): status	New	Confirmed
2021-11-03 21:37:00	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu): importance	Undecided	Medium
2021-11-03 21:37:02	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu): assignee		Mauricio Faria de Oliveira (mfo)
2021-11-03 21:37:15	Mauricio Faria de Oliveira	bug watch added		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998416
2021-11-03 21:37:15	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Debian)
2021-11-04 07:55:25	Bug Watch Updater	iptables-persistent (Debian): status	Unknown	New
2021-11-16 22:08:03	Mauricio Faria de Oliveira	description	[Impact] The iptables-persistent plugins/{15-ip4tables,25-ip6tables} use ip[6]tables-restore without --noflush unconditionally. This doesn't play along well with ufw, which starts before netfilter-persistent typically, and gets its rules flushed. This makes `ufw status` return that ufw is disabled, which is misleading, as `ufw.service` is enabled and ufw actually loaded all its rules correctly (but they were flushed later.) Some images ship iptables-persistent rules, thus are subject to this issue if ufw is used. [Workaround] Disable the netfilter-persistent.service unit, after rules have been migrated to ufw. [Fix] Proposed in Debian bug #998416 [1] [Test Steps] See the Debian bug. [1] https://bugs.debian.org/998416	[Impact] The iptables-persistent plugins/{15-ip4tables,25-ip6tables} use ip[6]tables-restore without --noflush unconditionally. This doesn't play along well with ufw, which starts before netfilter-persistent typically, and gets its rules flushed. This makes `ufw status` return that ufw is disabled, which is misleading, as `ufw.service` is enabled and ufw actually loaded all its rules correctly (but they were flushed later.) Some images ship iptables-persistent rules, thus are subject to this issue if ufw is used. [Workaround] Disable the netfilter-persistent.service unit, after rules have been migrated to ufw. [Fix] Proposed in Debian bug #998416 [1], Salsa Merge Request [2]. [Test Steps] See the Debian bug. [1] https://bugs.debian.org/998416 [2] https://salsa.debian.org/debian/iptables-persistent/-/merge_requests/3
2021-12-04 16:20:09	Bug Watch Updater	iptables-persistent (Debian): status	New	Fix Released
2021-12-10 15:35:18	Jorge Merlino	attachment added		lp1949643-impish.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1949643/+attachment/5546887/+files/lp1949643-impish.debdiff
2021-12-10 15:37:27	Jorge Merlino	attachment added		lp1949643-hirsute.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1949643/+attachment/5546888/+files/lp1949643-hirsute.debdiff
2021-12-10 15:37:51	Jorge Merlino	attachment added		lp1949643-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1949643/+attachment/5546889/+files/lp1949643-focal.debdiff
2021-12-10 15:38:16	Jorge Merlino	attachment added		lp1949643-bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1949643/+attachment/5546890/+files/lp1949643-bionic.debdiff
2021-12-10 16:23:27	Ubuntu Foundations Team Bug Bot	tags		patch
2021-12-10 16:23:37	Ubuntu Foundations Team Bug Bot	bug			added subscriber Ubuntu Sponsors Team
2021-12-13 14:51:15	Mauricio Faria de Oliveira	tags	patch	patch sts-sponsor-mfo
2021-12-13 15:39:20	Mauricio Faria de Oliveira	nominated for series		Ubuntu Jammy
2021-12-13 15:39:20	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Ubuntu Jammy)
2021-12-13 15:39:20	Mauricio Faria de Oliveira	nominated for series		Ubuntu Hirsute
2021-12-13 15:39:20	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Ubuntu Hirsute)
2021-12-13 15:39:20	Mauricio Faria de Oliveira	nominated for series		Ubuntu Bionic
2021-12-13 15:39:20	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Ubuntu Bionic)
2021-12-13 15:39:20	Mauricio Faria de Oliveira	nominated for series		Ubuntu Impish
2021-12-13 15:39:20	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Ubuntu Impish)
2021-12-13 15:39:20	Mauricio Faria de Oliveira	nominated for series		Ubuntu Focal
2021-12-13 15:39:20	Mauricio Faria de Oliveira	bug task added		iptables-persistent (Ubuntu Focal)
2021-12-13 15:39:38	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Impish): status	New	In Progress
2021-12-13 15:39:44	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Impish): importance	Undecided	Medium
2021-12-13 15:40:09	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Impish): assignee		Jorge Merlino (jorge-merlino)
2021-12-13 15:40:33	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Hirsute): status	New	In Progress
2021-12-13 15:40:36	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Hirsute): importance	Undecided	Medium
2021-12-13 15:40:47	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Hirsute): assignee		Jorge Merlino (jorge-merlino)
2021-12-13 15:40:50	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Focal): status	New	In Progress
2021-12-13 15:40:53	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Focal): importance	Undecided	Medium
2021-12-13 15:41:00	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Focal): assignee		Jorge Merlino (jorge-merlino)
2021-12-13 15:41:03	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Bionic): status	New	In Progress
2021-12-13 15:41:05	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Bionic): importance	Undecided	Medium
2021-12-13 15:41:12	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Bionic): assignee		Jorge Merlino (jorge-merlino)
2021-12-13 15:41:55	Mauricio Faria de Oliveira	iptables-persistent (Ubuntu Jammy): status	Confirmed	Fix Released
2021-12-13 17:27:33	Jorge Merlino	tags	patch sts-sponsor-mfo	patch sts sts-sponsor-mfo
2021-12-13 20:05:51	Jorge Merlino	attachment added		lp1949643-bionicv2.debdiff https://bugs.launchpad.net/ubuntu/hirsute/+source/iptables-persistent/+bug/1949643/+attachment/5547365/+files/lp1949643-bionicv2.debdiff
2021-12-13 20:06:31	Jorge Merlino	attachment added		lp1949643-focalv2.debdiff https://bugs.launchpad.net/ubuntu/hirsute/+source/iptables-persistent/+bug/1949643/+attachment/5547366/+files/lp1949643-focalv2.debdiff
2021-12-13 20:07:09	Jorge Merlino	attachment added		lp1949643-hirsutev2.debdiff https://bugs.launchpad.net/ubuntu/hirsute/+source/iptables-persistent/+bug/1949643/+attachment/5547367/+files/lp1949643-hirsutev2.debdiff
2021-12-13 20:07:38	Jorge Merlino	attachment added		lp1949643-impishv2.debdiff https://bugs.launchpad.net/ubuntu/hirsute/+source/iptables-persistent/+bug/1949643/+attachment/5547368/+files/lp1949643-impishv2.debdiff
2021-12-14 21:51:16	Mauricio Faria de Oliveira	description	[Impact] The iptables-persistent plugins/{15-ip4tables,25-ip6tables} use ip[6]tables-restore without --noflush unconditionally. This doesn't play along well with ufw, which starts before netfilter-persistent typically, and gets its rules flushed. This makes `ufw status` return that ufw is disabled, which is misleading, as `ufw.service` is enabled and ufw actually loaded all its rules correctly (but they were flushed later.) Some images ship iptables-persistent rules, thus are subject to this issue if ufw is used. [Workaround] Disable the netfilter-persistent.service unit, after rules have been migrated to ufw. [Fix] Proposed in Debian bug #998416 [1], Salsa Merge Request [2]. [Test Steps] See the Debian bug. [1] https://bugs.debian.org/998416 [2] https://salsa.debian.org/debian/iptables-persistent/-/merge_requests/3	[Impact] The iptables-persistent plugins/{15-ip4tables,25-ip6tables} use ip[6]tables-restore without --noflush unconditionally. This doesn't play along well with ufw, which starts before netfilter-persistent typically, and gets its rules flushed. This makes `ufw status` return that ufw is disabled, which is misleading, as `ufw.service` is enabled and ufw actually loaded all its rules correctly (but they were flushed later.) Some images ship iptables-persistent rules, thus are subject to this issue if ufw is used. [Workaround] Disable the netfilter-persistent.service unit, after rules have been migrated to ufw. [Fix] Add options IP[6]TABLES_RESTORE_NOFLUSH (disabled by default) to `/etc/default/netfilter-persistent` to allow not flushing existing ip[6]tables rules. Proposed in Debian bug #998416 [1], Salsa Merge Request [2]. [Test Steps] See commment #14 (based on the Debian bug.) [Regression Potential] Regressions would manifest when netfilter-persistent.service starts/loads rules, probably in the form of failures to run ip[6]tables-restore or incorrectly (not) flushing rules. Note: there is _no_ behavior change is by default, so users have to opt-in, which should reduce the chances/numbers of potential regressions. [Links] [1] https://bugs.debian.org/998416 [2] https://salsa.debian.org/debian/iptables-persistent/-/merge_requests/3
2021-12-17 15:32:52	Brian Murray	iptables-persistent (Ubuntu Impish): status	In Progress	Fix Committed
2021-12-17 15:32:55	Brian Murray	bug			added subscriber Ubuntu Stable Release Updates Team
2021-12-17 15:32:58	Brian Murray	bug			added subscriber SRU Verification
2021-12-17 15:33:02	Brian Murray	tags	patch sts sts-sponsor-mfo	patch sts sts-sponsor-mfo verification-needed verification-needed-impish
2021-12-17 15:33:59	Brian Murray	iptables-persistent (Ubuntu Hirsute): status	In Progress	Fix Committed
2021-12-17 15:34:07	Brian Murray	tags	patch sts sts-sponsor-mfo verification-needed verification-needed-impish	patch sts sts-sponsor-mfo verification-needed verification-needed-hirsute verification-needed-impish
2021-12-17 15:34:58	Brian Murray	iptables-persistent (Ubuntu Focal): status	In Progress	Fix Committed
2021-12-17 15:35:05	Brian Murray	tags	patch sts sts-sponsor-mfo verification-needed verification-needed-hirsute verification-needed-impish	patch sts sts-sponsor-mfo verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish
2021-12-17 15:39:17	Brian Murray	iptables-persistent (Ubuntu Bionic): status	In Progress	Fix Committed
2021-12-17 15:39:24	Brian Murray	tags	patch sts sts-sponsor-mfo verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish	patch sts sts-sponsor-mfo verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish
2021-12-17 15:39:31	Brian Murray	removed subscriber Ubuntu Sponsors Team
2021-12-21 02:01:29	Jorge Merlino	tags	patch sts sts-sponsor-mfo verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish	patch sts sts-sponsor-mfo verification-done-bionic verification-done-focal verification-done-hirsute verification-done-impish verification-needed
2022-01-04 17:06:51	Launchpad Janitor	iptables-persistent (Ubuntu Impish): status	Fix Committed	Fix Released
2022-01-04 17:06:54	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2022-01-04 17:07:31	Launchpad Janitor	iptables-persistent (Ubuntu Hirsute): status	Fix Committed	Fix Released
2022-01-04 17:08:01	Launchpad Janitor	iptables-persistent (Ubuntu Focal): status	Fix Committed	Fix Released
2022-01-04 17:08:24	Launchpad Janitor	iptables-persistent (Ubuntu Bionic): status	Fix Committed	Fix Released

Ubuntuiptables-persistent package

Activity log for bug #1949643

Ubuntu
iptables-persistent package