Bug#946519: iptables fails to update rules from fwbuilder

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#946519: iptables fails to update rules from fwbuilder

J.L. Fernandez Jambrina
Package: iptables
Version: 1.8.3-2
Severity: important

Dear Maintainer,

   After upgrading to buster from strech, the iptables defined in fwbuilder don't works when changed:
 iall I get is a message "iptables: Chain already exists" for each rule and they don't work.

   Moreover as I removed network-manager package my system start withour rules (maybe with default rules) an this moment the script generated by fwbuilder runs without warnning and rules are applied. Afterwards, if I tried to aplly diferent rules, I get the warnning messages and the rules don't work.

   At first my system was running the stable version of iptables, 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.

   Thanks in advance,


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc2                1.8.3-2
ii  libip6tc2                1.8.3-2
ii  libiptc0                 1.8.3-2
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.5-1
ii  libxtables12             1.8.3-2

Versions of packages iptables recommends:
ii  nftables  0.9.0-2

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#946519: iptables fails to update rules from fwbuilder

Arturo Borrero Gonzalez-3
On Tue, 10 Dec 2019 14:32:59 +0100
=?utf-8?q?Jos=C3=A9_L=2E_Fern=C3=A1ndez_Jambrina?=
<[hidden email]> wrote:

> Package: iptables
> Version: 1.8.3-2
> Severity: important
>
> Dear Maintainer,
>
>    After upgrading to buster from strech, the iptables defined in fwbuilder don't works when changed:
>  iall I get is a message "iptables: Chain already exists" for each rule and they don't work.
>
>    Moreover as I removed network-manager package my system start withour rules (maybe with default rules) an this moment the script generated by fwbuilder runs without warnning and rules are applied. Afterwards, if I tried to aplly diferent rules, I get the warnning messages and the rules don't work.
>
>    At first my system was running the stable version of iptables, 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>

We would need additional information about what ruleset are you (or fwbuilder)
trying to load.

regards.

Reply | Threaded
Open this post in threaded view
|

Bug#946519: (no subject)

Arturo Borrero Gonzalez-3
In reply to this post by J.L. Fernandez Jambrina
Control: tag -1 moreninfo

Reply | Threaded
Open this post in threaded view
|

Bug#946519: iptables fails to update rules from fwbuilder

Raphael Hertzog-3
In reply to this post by Arturo Borrero Gonzalez-3
Hello,

On Mon, 20 Jan 2020, Arturo Borrero Gonzalez wrote:
> >    After upgrading to buster from strech, the iptables defined in fwbuilder don't works when changed:
> >  iall I get is a message "iptables: Chain already exists" for each rule and they don't work.
> >
> >    Moreover as I removed network-manager package my system start withour rules (maybe with default rules) an this moment the script generated by fwbuilder runs without warnning and rules are applied. Afterwards, if I tried to aplly diferent rules, I get the warnning messages and the rules don't work.
> >
> >    At first my system was running the stable version of iptables, 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>
> We would need additional information about what ruleset are you (or fwbuilder)
> trying to load.

The user is likely affected by this fwbuilder bug:
https://github.com/fwbuilder/fwbuilder/issues/88

Cheers,
--
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <[hidden email]>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

Reply | Threaded
Open this post in threaded view
|

Bug#951256: iptables fails to update rules from fwbuilder

J.L. Fernandez Jambrina
In reply to this post by J.L. Fernandez Jambrina
Package: iptables
Version: 1.8.3-2
Severity: important


Dear maintainer,

     This the Router.fw (renamed to Router_bad.fw) fwbuilder generate in
my system.

     I found a workaround: I put the command "nft flush ruleset" in the
prolog section. I defined it in  the User|Router|Editor|Firewalls
Settings|Prolog/Epilog section of my router, and I have to recognize I
commented out to generate in the file I send, so you can uncomment it to
verify it works.


     Thanks very much



El 10/12/19 a las 14:32, José L. Fernández Jambrina escribió:

> Package: iptables
> Version: 1.8.3-2
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to buster from strech, the iptables defined in
> fwbuilder don't works when changed:
> iall I get is a message "iptables: Chain already exists" for each rule
> and they don't work.
>
> Moreover as I removed network-manager package my system start withour
> rules (maybe with default rules) an this moment the script generated
> by fwbuilder runs without warnning and rules are applied. Afterwards,
> if I tried to aplly diferent rules, I get the warnning messages and
> the rules don't work.
>
> At first my system was running the stable version of iptables,
> 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>
> Thanks in advance,
>
>
> -- System Information:
> Debian Release: 10.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8),
> LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages iptables depends on:
> ii libc6 2.28-10
> ii libip4tc2 1.8.3-2
> ii libip6tc2 1.8.3-2
> ii libiptc0 1.8.3-2
> ii libmnl0 1.0.4-2
> ii libnetfilter-conntrack3 1.0.7-1
> ii libnfnetlink0 1.0.1-3+b1
> ii libnftnl11 1.1.5-1
> ii libxtables12 1.8.3-2
>
> Versions of packages iptables recommends:
> ii nftables 0.9.0-2
>
> Versions of packages iptables suggests:
> ii kmod 26-1
>
> -- no debconf information


Router_bad.fw (29K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#946519: iptables fails to update rules from fwbuilder

J.L. Fernandez Jambrina
In reply to this post by Arturo Borrero Gonzalez-3
Dear maintainer,

     This the Router.fw (renamed to Router_bad.fw) fwbuilder generate in
my system.

     I found a workaround: I put the command "nft flush ruleset" in the
prolog section. I defined it in  the User|Router|Editor|Firewalls
Settings|Prolog/Epilog section of my router, and I have to recognize I
commented out to generate in the file I send, so you can uncomment it to
verify it works.


     Thanks very much

El 20/1/20 a las 14:18, Arturo Borrero Gonzalez escribió:

> On Tue, 10 Dec 2019 14:32:59 +0100
> =?utf-8?q?Jos=C3=A9_L=2E_Fern=C3=A1ndez_Jambrina?=
> <[hidden email]> wrote:
>> Package: iptables
>> Version: 1.8.3-2
>> Severity: important
>>
>> Dear Maintainer,
>>
>>     After upgrading to buster from strech, the iptables defined in fwbuilder don't works when changed:
>>   iall I get is a message "iptables: Chain already exists" for each rule and they don't work.
>>
>>     Moreover as I removed network-manager package my system start withour rules (maybe with default rules) an this moment the script generated by fwbuilder runs without warnning and rules are applied. Afterwards, if I tried to aplly diferent rules, I get the warnning messages and the rules don't work.
>>
>>     At first my system was running the stable version of iptables, 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>>
> We would need additional information about what ruleset are you (or fwbuilder)
> trying to load.
>
> regards.

Router_bad.fw (29K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#946519: iptables fails to update rules from fwbuilder

J.L. Fernandez Jambrina
In reply to this post by Raphael Hertzog-3
Sorry for my delay,

A few minutes ago I answered to your first request and I proposed a
workaround.

Yes, it seems the reset_iptables functions doesn't work. As fwbuilder
worked with iptables I thinks its a bug in the iptables-nftables translator.

   Thanks very much for your attention,

P.D.: OMG I opended a new bug, #951256, please, could you remove it?

El 12/2/20 a las 14:32, Raphael Hertzog escribió:

> Hello,
>
> On Mon, 20 Jan 2020, Arturo Borrero Gonzalez wrote:
>>>     After upgrading to buster from strech, the iptables defined in fwbuilder don't works when changed:
>>>   iall I get is a message "iptables: Chain already exists" for each rule and they don't work.
>>>
>>>     Moreover as I removed network-manager package my system start withour rules (maybe with default rules) an this moment the script generated by fwbuilder runs without warnning and rules are applied. Afterwards, if I tried to aplly diferent rules, I get the warnning messages and the rules don't work.
>>>
>>>     At first my system was running the stable version of iptables, 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>> We would need additional information about what ruleset are you (or fwbuilder)
>> trying to load.
> The user is likely affected by this fwbuilder bug:
> https://github.com/fwbuilder/fwbuilder/issues/88
>
> Cheers,