603228 – net-firewall/nftables init script does not respect SAVE_OPTIONS

Bug 603228 - net-firewall/nftables init script does not respect SAVE_OPTIONS

Summary: net-firewall/nftables init script does not respect SAVE_OPTIONS

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-20 17:01 UTC by Phil
Modified:	2017-11-05 21:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Phil 2016-12-20 17:01:49 UTC

This is probably a regression introduced by commit 191595ea91dcf ("net-firewall/nftables: refactor init.d/nftables into libexec/nftable.sh"):

/etc/init.d/nftables calls /usr/libexec/nftables/nftables.sh and the latter uses SAVE_OPTIONS variable (only if use_legacy, which is a bug of it's own BTW) but that is not defined since it's not passed along by the init-script itself.

That SAVE_OPTIONS variable is present in /etc/conf.d/nftables, in case you're wondering.

Reproducible: Always

Actual Results:  
Even after setting SAVE_OPTIONS, they are not used when saving nftables state.

Expected Results:  
SAVE_OPTIONS is passed to nft call regardless of use_legacy.

Comment 1 Phil 2016-12-20 17:07:08 UTC

Here's how I fixed this issue for myself, I think it's the simplest solution:

diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh
index f720b9bfc514f..cc55f8566000d 100755
--- a/net-firewall/nftables/files/libexec/nftables.sh
+++ b/net-firewall/nftables/files/libexec/nftables.sh
@@ -27,7 +27,7 @@ main() {
         "store")
             local tmp_save="${NFTABLES_SAVE}.tmp"
             if ! use_legacy; then
-                nft list ruleset > ${tmp_save}
+                nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
             else
                 save_legacy ${tmp_save}
             fi
diff --git a/net-firewall/nftables/files/nftables.init b/net-firewall/nftables/files/nftables.init
index 217251e41db49..b96cc19564e30 100644
--- a/net-firewall/nftables/files/nftables.init
+++ b/net-firewall/nftables/files/nftables.init
@@ -83,6 +83,7 @@ save() {
     ebegin "Saving nftables state"
     checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
     checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
+    export SAVE_OPTIONS
     /usr/libexec/nftables/nftables.sh store ${NFTABLES_SAVE}
     return $?
 }

Comment 2 Louis Sautier (sbraz) gentoo-dev

2017-11-05 21:51:36 UTC

Fixed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73651790d96992c366b3666e6dda1af1a62c6b0f
Date:   Sat Jan 7 06:54:28 2017 -0800

    net-firewall/nftables: Fix SAVE_OPTIONS bug in libexec scripts

    The libexec script doesn't honor the SAVE_OPTIONS variable.  This commit fixes
    that issue.

    Thanks to Phil@nwl.cc for providing the fix for the issue.

    Gentoo-bug: 603228

    Package-Manager: Portage-2.3.3, Repoman-2.3.1