Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 721578 - net-firewall/iptables-1.8.4-r1 re-merge results in no symlinks for /sbin/iptables
Summary: net-firewall/iptables-1.8.4-r1 re-merge results in no symlinks for /sbin/ipta...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-08 04:16 UTC by Alec Warner
Modified: 2020-05-09 02:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alec Warner (RETIRED) archtester gentoo-dev Security 2020-05-08 04:16:42 UTC 
Basically I have iptables-1.8.4-r1 installed. By accident, I re-merged iptables-1.8.4-r1 (automation went haywire.) This resulted in seeing:

vireo ~ # iptables -L
-bash: iptables: command not found

I believe this is because in the prerm for iptables:

pkg_prerm() {
	elog "Unsetting iptables symlinks before removal"
	eselect iptables unset

	# the eselect module failing should not be fatal
	return 0
}

This is supposed to be fixed in the postinst:

pkg_postinst() {
	local default_iptables="xtables-legacy-multi"
	if ! eselect iptables show &>/dev/null; then
		elog "Current iptables implementation is unset, setting to ${default_iptables}"
		eselect iptables set "${default_iptables}"
		use ipv6 && eselect iptables set --ipv6 "${default_iptables}"
	fi
	eselect iptables show
}


A few bugs then:

eselect iptables unset doesn't appear to unset the ipv6 symlinks.
The postinst symlink fixing part does not work all the time, leaving systems with no iptables symlink.

04:04 <@floppym> I can reproduce the issue by unmerging iptables and then remerging it.
04:04 <@antarus> ah ok, I was just starting to do that
04:04 <@antarus> ah
04:04 <@antarus> even simpler case
04:05 <@antarus> emerge iptables (1.8.4-r1)
04:05 <@antarus> ah * Unsetting iptables symlinks before removal
04:05 <@antarus> that must be in the iptables postrm?
04:05 <@floppym> prerm
04:05 <@floppym> And yes.
04:06 <@floppym> Yeah, these postinst and prerm functions are messed up. I'll look into it.

I believe just running "emerge iptables" is sufficient to trigger this condition.
Comment 1 Mike Gilbert gentoo-dev 2020-05-08 04:34:02 UTC 
The eselect module seems to have some issues; I have added it to git so we can track changes.

https://gitweb.gentoo.org/proj/eselect.git/tree/modules/iptables.eselect?h=extern
Comment 2 Alec Warner (RETIRED) archtester gentoo-dev Security 2020-05-08 06:09:30 UTC 
(In reply to Mike Gilbert from comment #1)
> The eselect module seems to have some issues; I have added it to git so we
> can track changes.
> 
> https://gitweb.gentoo.org/proj/eselect.git/tree/modules/iptables.
> eselect?h=extern

Ack, even things like:

vireo ~ # type iptables
iptables is hashed (/sbin/iptables)
vireo ~ # eselect iptables set 0
!!! Error: Target "0" doesn't appear to be valid!
exiting
vireo ~ # type iptables
iptables is hashed (/sbin/iptables)
vireo ~ # /sbin/iptables
-bash: /sbin/iptables: No such file or directory

will break your iptables; even though eselect should just refuse (0 is not a valid target.)
Comment 3 Larry the Git Cow gentoo-dev 2020-05-09 02:55:01 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfc7d9481a9002d8827cba7f4a3b247589202907

commit cfc7d9481a9002d8827cba7f4a3b247589202907
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-05-09 02:52:46 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-05-09 02:54:51 +0000

    net-firewall/iptables: Revbump, fix eselect bug (bug #721578)
    
    This also supports eselect-arptables and eselect-ebtables, since the
    nftables implementation of xtables can replace both these commands.
    
    Closes: https://bugs.gentoo.org/721578
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 ...es-1.8.4-r1.ebuild => iptables-1.8.4-r2.ebuild} | 45 ++++++++++++++++++----
 1 file changed, 37 insertions(+), 8 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37c41814f27ef349d94ff2f14313b89c65edb2cb

commit 37c41814f27ef349d94ff2f14313b89c65edb2cb
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-05-09 02:46:44 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-05-09 02:54:50 +0000

    app-eselect/eselect-iptables: Remove old (bug #721578)
    
    Bug: https://bugs.gentoo.org/721578
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-eselect/eselect-iptables/Manifest                 |  1 -
 .../eselect-iptables/eselect-iptables-20200319.ebuild | 19 -------------------
 2 files changed, 20 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2126aaa89c0f96dc9cb033d10b742adea7bea903

commit 2126aaa89c0f96dc9cb033d10b742adea7bea903
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-05-09 02:31:29 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-05-09 02:54:50 +0000

    app-eselect/eselect-iptables-20200508: Version bump (bug #721578)
    
    Bug: https://bugs.gentoo.org/721578
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 app-eselect/eselect-iptables/Manifest              |  1 +
 .../eselect-iptables-20200508.ebuild               | 24 ++++++++++++++++++++++
 2 files changed, 25 insertions(+)