[pkg-netfilter-team] Bug#911849: iptables: new version breaks firewall loading

Christoph Anton Mitterer calestyo at scientia.net
Thu Oct 25 14:45:07 BST 2018 

Package: iptables
Version: 1.8.1-1
Severity: critical
Tags: security


Hi.

Seems the massive changes in the recent version breaks loading of
firewall rules by tools like netfilter-persistent...

# journalctl | grep netfilter
Oct 25 15:36:55 klenze systemd[1]: Starting netfilter persistent configuration...
Oct 25 15:36:55 klenze netfilter-persistent[345]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Oct 25 15:36:55 klenze netfilter-persistent[345]: /usr/share/netfilter-persistent/plugins.d/15-ip4tables: 23: /usr/share/netfilter-persistent/plugins.d/15-ip4tables: /sbin/iptables-restore: not found
Oct 25 15:36:55 klenze netfilter-persistent[345]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 127
Oct 25 15:36:55 klenze netfilter-persistent[345]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Oct 25 15:36:55 klenze netfilter-persistent[345]: /usr/share/netfilter-persistent/plugins.d/25-ip6tables: 26: /usr/share/netfilter-persistent/plugins.d/25-ip6tables: /sbin/ip6tables-restore: not found
Oct 25 15:36:55 klenze netfilter-persistent[345]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 127
Oct 25 15:36:55 klenze systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Oct 25 15:36:55 klenze systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
Oct 25 15:36:55 klenze systemd[1]: Failed to start netfilter persistent configuration.


I'd assume that all other firewall may also depend on the previous paths names,
but haven't checked it.


Severity critical, as such rules may easily be crucial for the whole
system security.


Cheers,
Chris.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iptables depends on:
ii  libc6                    2.27-6
ii  libip4tc0                1.8.1-1
ii  libip6tc0                1.8.1-1
ii  libiptc0                 1.8.1-1
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl7                1.1.1-1
ii  libxtables12             1.8.1-1

iptables recommends no packages.

Versions of packages iptables suggests:
ii  kmod  25-1

-- no debconf information

More information about the pkg-netfilter-team mailing list