[pkg-lxc-devel] Bug#973439: lxc-net conflicts with iptables-persistent on boot

Pierre-Elliott Bécue peb at debian.org
Tue Jan 19 09:38:53 GMT 2021


Control: severity -1 important
Control: tags -1 +stretch

Le vendredi 30 octobre 2020 à 16:10:09+0100, Ludwig Gramberg a écrit :
> when lxc-net and netfilter/iptables-persistent are installed the start-up script
> in lxc-net uses iptables-commands while iptables-restore is used by netfilter-persistent.
> this is an unstable situation which sometimes causes iptables-restore to fail on COMMIT.
> thus the iptables rules are not being loaded leaving the server vulnerable. 
> 
> this should be solved within the service-files of systemd. if netfilter-persistent.service
> only runs after lxc-net.service the conflict should be avoided. at least it helped on my server.

Dear Ludwig,

Thanks for your bug report. The issue does not seem that easy to tackle.
Indeed, if you start netfilter-persistent after lxc-net, you lose the
lxc-net firewall configurations you've made, as netfilter-persistent
overrides the rules set in place by lxc-net.

Apart from that, have you experienced this issue in the current stable
release?

Cheers!

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20210119/c3f416cb/attachment.sig>


More information about the Pkg-lxc-devel mailing list