iptables-persistent unconditionally drops existing iptables rules

https://salsa.debian.org/debian/iptables-persistent/-/merge_requests/3

SRU for impish

SRU for hirsute

SRU for focal

SRU for bionic

The attachment "lp1949643-impish.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

The fix has been released in Debian and Ubuntu Jammy.

https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.16

@jorge-merlino,

Thanks for the backports/debdiffs for the stable releases!

I have reviewed them, which look mostly good; I suggested
some changes and provided feedback on email. :)

cheers!

SRU for Bionic. Fixed changelog and indentantion

SRU for Focal. Fixed changelog.

SRU for Hirsute. Fixed changelog.

SRU for Impish. Fixed changelog.

The SRU patches where built and tested by me in each Ubuntu version.

Test Steps from Debian bug, for reference.

- 1. Configure rules files:

cat <<EOF4 >/etc/iptables/rules.v4
# Generated by iptables-save v1.8.7 on Wed Nov 3 20:43:56 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 1.0.0.1/32 -p icmp -j DROP
COMMIT
# Completed on Wed Nov 3 20:43:56 2021
EOF4

cat <<EOF6 >/etc/iptables/rules.v6
# Generated by ip6tables-save v1.8.7 on Wed Nov 3 20:43:56 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 2606:4700:4700::1001/128 -p icmp -j DROP
COMMIT
# Completed on Wed Nov 3 20:43:56 2021
EOF6

 - 2. Flush existing rules:

iptables -F
ip6tables -F

 - 3. Add rules for 1.1.1.1:

iptables -A INPUT -p icmp -s 1.1.1.1 -j DROP
ip6tables -A INPUT -p icmp -s 2606:4700:4700::1111 -j DROP

- 4. Check rules for 1.1.1.1 are in:

iptables -nL | grep -e 1.1.1.1 -e 1.0.0.1
ip6tables -nL | grep -e 2606:4700:4700::1111 -e 2606:4700:4700::1001

- 5. Start iptables-persistent scripts:

netfilter-persistent start

Default behavior:

- 6. Check rules for 1.0.0.1 are in (rules for 1.1.1.1 are gone)

iptables -nL | grep -e 1.1.1.1 -e 1.0.0.1
ip6tables -nL | grep -e 2606:4700:4700::1111 -e 2606:4700:4700::1001

Optional behavior:

- 7. Enable the new options:

sed -i '/RESTORE_NOFLUSH/ s/^# //' /etc/default/netfilter-persistent

- 8. Repeat steps 2-5

- 9. Check rules for 1.0.0.1 _and_ 1.1.1.1 are in (rules for 1.1.1.1 are kept)

iptables -nL | grep -e 1.1.1.1 -e 1.0.0.1
ip6tables -nL | grep -e 2606:4700:4700::1111 -e 2606:4700:4700::1001

Thanks, Jorge!

I've sponsored the debdiffs with minor changes
(that I didn't mention previously) to B/F/H/I,
and added some stuff to the SRU template [1,2].

The changes build fine on LP PPAs for all releases.

cheers,
Mauricio

...

For reference:

- versioning:
  - B: change ubuntu2 to ubuntu1.1 (SRUs usually +0.1)
  - H/I: change ubuntu1 (same version on diff releases)
         to ubuntu0.21.{04,10}.1
- maintainer:
  - F/H/I: run update-maintainer

[1] https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
[2] https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Hello Mauricio, or anyone else affected,

Accepted iptables-persistent into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.15ubuntu0.21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted iptables-persistent into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.15ubuntu0.21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted iptables-persistent into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.14ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mauricio, or anyone else affected,

Accepted iptables-persistent into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/iptables-persistent/1.0.4+nmu2ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested version 1.0.4+nmu2ubuntu1.1 in Bionic.
Performed the tests on comment #14. All worked fine.

Tested version 1.0.14ubuntu1 in Focal.
Performed the tests on comment #14. All worked fine.

Tested version 1.0.15ubuntu0.21.04.1 in Hirsute.
Performed the tests on comment #14. All worked fine.

Tested version 1.0.15ubuntu0.21.10.1 in Impish.
Performed the tests on comment #14. All worked fine.

This bug was fixed in the package iptables-persistent - 1.0.15ubuntu0.21.10.1

---------------
iptables-persistent (1.0.15ubuntu0.21.10.1) impish; urgency=medium

  * Add configuration options IP[6]TABLES_RESTORE_NOFLUSH so that
    existing rules are not flushed on start/load (LP: #1949643)
    - debian/netfilter-persistent.default: Introduce options
    - plugins/{15-ip4tables,25-ip6tables}: Check/apply options

 -- Jorge Merlino <email address hidden> Fri, 10 Dec 2021 09:36:34 -0300

The verification of the Stable Release Update for iptables-persistent has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package iptables-persistent - 1.0.15ubuntu0.21.04.1

---------------
iptables-persistent (1.0.15ubuntu0.21.04.1) hirsute; urgency=medium

  * Add configuration options IP[6]TABLES_RESTORE_NOFLUSH so that
    existing rules are not flushed on start/load (LP: #1949643)
    - debian/netfilter-persistent.default: Introduce options
    - plugins/{15-ip4tables,25-ip6tables}: Check/apply options

 -- Jorge Merlino <email address hidden> Fri, 10 Dec 2021 09:49:39 -0300

This bug was fixed in the package iptables-persistent - 1.0.14ubuntu1

---------------
iptables-persistent (1.0.14ubuntu1) focal; urgency=medium

  * Add configuration options IP[6]TABLES_RESTORE_NOFLUSH so that
    existing rules are not flushed on start/load (LP: #1949643)
    - debian/netfilter-persistent.default: Introduce options
    - plugins/{15-ip4tables,25-ip6tables}: Check/apply options

 -- Jorge Merlino <email address hidden> Fri, 10 Dec 2021 09:55:20 -0300

This bug was fixed in the package iptables-persistent - 1.0.4+nmu2ubuntu1.1

---------------
iptables-persistent (1.0.4+nmu2ubuntu1.1) bionic; urgency=medium

  * Add configuration options IP[6]TABLES_RESTORE_NOFLUSH so that
    existing rules are not flushed on start/load (LP: #1949643)
    - debian/netfilter-persistent.default: Introduce options
    - plugins/{15-ip4tables,25-ip6tables}: Check/apply options

 -- Jorge Merlino <email address hidden> Fri, 10 Dec 2021 10:51:47 -0300