[Secure-testing-team] Bug#867560: netfilter-persistent fails randomly during boot; restarting later works

David tmp221 at dmus.eu
Fri Jul 7 11:04:51 UTC 2017 

Package: netfilter-persistent
Version: 1.0.4+nmu2
Severity: grave
Tags: security
Justification: renders package unusable

Dear Maintainer,

   * What led up to the situation?

Upgrading from jessie to stretch.

On two Debian systems, netfilter-persistent worked fine in jessie but randomly
fails to load rules.v4 and/or rules.v6 during boot. Most of the time, at
least one of these fails. Restarting later works fine.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

1) # apt-get purge iptables-persistent netfilter-persistent && apt-get
install iptables-persistent

2) Edit /usr/share/netfilter-persistent/plugins.d/15-ip4tables and
/usr/share/netfilter-persistent/plugins.d/25-ip6tables so
/sbin/ip(6)tables-restore writes errors to a file instead of /dev/null

3) # systemctl restart netfilter-persistent

   * What was the outcome of this action?

1) No effect.

2)
iptables-restore: line 33 failed
ip6tables-restore: line 25 failed
(These are the last lines of rules.v4 and rules.v6, each saying
"COMMIT", respectively.)

3) Works (until next reboot).

Since "systemctl restart netfilter-persistent" works just fine, I think it
might have to do with the patch suggested in #819693. Starting with
stretch, the unit file switched from network.target to network-pre.target.
While network-pre.target is in theory intended for firewall use, I think
network-pre.target might make it impossible to reference specific interfaces
within iptables rules (e.g. "-A INPUT -i lo -j ACCEPT").

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages netfilter-persistent depends on:
ii  init-system-helpers  1.48
ii  lsb-base             9.20161125

netfilter-persistent recommends no packages.

Versions of packages netfilter-persistent suggests:
ii  iptables-persistent  1.0.4+nmu2

-- no debconf information

More information about the Secure-testing-team mailing list