[pkg-lxc-devel] Bug#973439: lxc-net conflicts with iptables-persistent on boot

Ludwig Gramberg info at ludwig-gramberg.de
Fri Oct 30 15:10:09 GMT 2020

Package: lxc
Version: 1:2.0.7-2+deb9u2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

when lxc-net and netfilter/iptables-persistent are installed the start-up script
in lxc-net uses iptables-commands while iptables-restore is used by netfilter-persistent.
this is an unstable situation which sometimes causes iptables-restore to fail on COMMIT.
thus the iptables rules are not being loaded leaving the server vulnerable. 

this should be solved within the service-files of systemd. if netfilter-persistent.service
only runs after lxc-net.service the conflict should be avoided. at least it helped on my server.

*** End of the template - remove these template lines ***

-- System Information:
Debian Release: 9.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-14-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxc depends on:
ii  init-system-helpers  1.48
ii  libapparmor1         2.11.0-3+deb9u2
ii  libc6                2.24-11+deb9u4
ii  libcap2              1:2.25-1
ii  libgnutls30          3.5.8-5+deb9u5
ii  liblxc1              1:2.0.7-2+deb9u2
ii  libseccomp2          2.3.1-2.1+deb9u1
ii  libselinux1          2.6-3+b3
ii  lsb-base             9.20161125
ii  python3              3.5.3-1
ii  python3-lxc          1:2.0.7-2+deb9u2

Versions of packages lxc recommends:
ii  bridge-utils  1.5-13+deb9u1
ii  debootstrap   1.0.89
ii  dirmngr       2.1.18-8~deb9u4
ii  dnsmasq-base  2.76-5+deb9u2
ii  gnupg         2.1.18-8~deb9u4
ii  iptables      1.6.0+snapshot20161117-6
ii  libpam-cgfs   2.0.7-1+deb9u1
ii  lxcfs         2.0.7-1+deb9u1
ii  openssl       1.1.0l-1~deb9u1
ii  rsync         3.1.2-1+deb9u2
ii  uidmap        1:4.4-4.1

Versions of packages lxc suggests:
pn  apparmor     <none>
pn  btrfs-tools  <none>
pn  lvm2         <none>

-- no debconf information

More information about the Pkg-lxc-devel mailing list