[pkg-lxc-devel] Bug#973439: lxc-net conflicts with iptables-persistent on boot
Ludwig Gramberg
info at ludwig-gramberg.de
Tue Jan 19 11:30:10 GMT 2021
I am new to reporting debian bugs so I follow your advice concerning the severity ;-)
changing systemd-files was also my solution (creating a dependency)
better would be if netfilter-persistent would move to a point in boot when no other iptables-touching software would run, but idk if this is even possible
> Am 19.01.2021 um 12:24 schrieb Pierre-Elliott Bécue <peb at debian.org>:
>
> Le mardi 19 janvier 2021 à 11:20:41+0100, Ludwig Gramberg a écrit :
>> Hi Pierre-Elliot,
>>
>> it’s not that you lose rules set by lxc-net, you basically have a race-condition.
>>
>> lxc-net is setting rules directly by calling iptables commands,
>> setting one rule at a time. iptables-persistent on the other hand is
>> using the iptables-restore command and these don’t mix. If anyone is
>> setting rules in iptables while the restore-command is running the
>> restore-command fails.
>>
>> So it is not about overwriting each other its about the restore
>> failing entirely. I would be happy if the restore „would win“ but it
>> utterly fails leaving the server without its most important basic set
>> of firewall-rules. This is why I categorized this as severe.
>
> IMHO your choice of severity was too strong. This is an incompatibility
> between two packages that poses some security concerns, but it's not a
> CVE, an it's not a daily case for everyone.
>
> I'm eager to tackle it without putting an unneeded Conflicts/Breaks:
> entry on lxc, but it remains something a system administrator has to
> handle and check when one installs such programs.
>
>> The problem can happen with any combination where a process sets
>> firewall rules early in the boot-process while netfilter-persistent is
>> doing its restore.
>
> So actually the good solution would be for netfilter-persistent to be
> fully started *before* lxc-net tries to start, am I right?
>
> We could probably try to do that with systemd files.
>
>> Last I have seen this in Debian 9 happening and have not yet tested
>> this in Debian 10 (doesn't Deb10 use nftables which is profoundly
>> different?)
>
> Both alternatives are present on Debian 10 (iptables and nftables).
>
> --
> Pierre-Elliott Bécue
> GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2
> It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20210119/6617fb12/attachment-0001.html>
More information about the Pkg-lxc-devel
mailing list