Ubuntu
iptables-persistent package

Merge lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517 into lp:ubuntu/precise/iptables-persistent

  1. Precise (12.04)
  2. fix-for-967018-905517
  3. Merge into precise
Proposed by Neil Wilson
Status: Merged
Merge reported by: Chow Loong Jin
Merged at revision: not available
Proposed branch: lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517
Merge into: lp:ubuntu/precise/iptables-persistent
Diff against target: 81 lines (+17/-11)
5 files modified
debian/changelog (+7/-0)
debian/iptables-persistent.postinst (+0/-3)
debian/iptables-persistent.postrm (+2/-5)
debian/iptables-persistent.preinst (+7/-2)
debian/rules (+1/-1)
To merge this branch: bzr merge lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517
Reviewer Review Type Date Requested Status
Chow Loong Jin (community) Approve
Neil Wilson Pending
Review via email: mp+102675@code.launchpad.net

This proposal supersedes a proposal from 2012-04-03.

Commit message

* debian/rules: add missing '.' (LP: #920055)
* debian/postinst: make sure new target file exists so that
  'dpkg-maintscript-helper' works properly (LP: #967018)

Description of the change

Fix a couple of upgrade and installation faults with the maintainer scripts

To post a comment you must log in.
Revision history for this message
Chow Loong Jin (hyperair) wrote : Posted in a previous version of this proposal

The debian/rules change looks okay, but the postinst change looks wrong.

Specifically, I think it should be:
if [ ! -e /etc/iptables/rules.v4 ]; then
    touch /etc/iptables/rules.v4
    dpkg-maintscript-helper mv_conffile \
 /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
fi

i.e. you need to check for the presence of rules.v4, rather than rules.

Apart from that, I don't see anything wrong, and will happily sponsor this patch.

review: Needs Fixing
Revision history for this message
Neil Wilson (neil-aldur) wrote : Posted in a previous version of this proposal

It needs to be both. You don't want to execute the mv_conffile unless both the files exist and you don't want to create a rules.v4 unless the old one already exists and you really need to do a mv_conffile.

You want to avoid the blank rules.v4 file which would cause the init script to try and do an unnecessary firewall load on a blank file.

It's a bit of an abuse of the mv_conffile facility really.

So I'm thinking

if [ -e /etc/iptables/rules ]; then
    [ -e /etc/iptables/rules.v4 ] || touch /etc/iptables/rules.v4
    dpkg-maintscript-helper mv_conffile \
        /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
fi

Which should make sure that the old file is only moved if the target isn't newer.

Revision history for this message
Chow Loong Jin (hyperair) wrote : Posted in a previous version of this proposal

Ah yes, you're right. Could you apply that change?

Revision history for this message
Neil Wilson (neil-aldur) wrote : Posted in a previous version of this proposal

Applied

review: Needs Resubmitting
Revision history for this message
Chow Loong Jin (hyperair) wrote : Posted in a previous version of this proposal

Okay, I've just built and tested upgrading from 0.0.20101230 (the natty package). I noticed that if both /etc/iptables/rules and /etc/iptables/rules.v4 were present, rules.v4 would be clobbered by rules. A backup would be made in rules.v4.dpkg-new, of course, but I'm not sure that's a good thing.

How about the following?

if [ -e /etc/iptables/rules -a ! -e /etc/iptables/rules.v4 ]; then
    touch /etc/iptables/rules.v4
    dpkg-maintscript-helper mv_conffile \
        /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
fi

This should prevent rules.v4 from getting clobbered if the user had, by some freak accident (perhaps an upgrade and a downgrade, and an upgrade again) both rules and rules.v4 where rules.v4 was the relevant file.

Revision history for this message
Chow Loong Jin (hyperair) wrote : Posted in a previous version of this proposal

Also, you need a trailing space before ].

Revision history for this message
Neil Wilson (neil-aldur) wrote : Posted in a previous version of this proposal

On a separate note do we think that this is really a fault in dpkg-maintscript-helper we're trying to work around?

if

mv -f "$NEWCONFFILE" "$NEWCONFFILE".dpkg-new"

was replaced with

[ -e "$NEWCONFFILE" ] && mv -f "$NEWCONFFILE" "$NEWCONFFILE".dpkg-new"

It would solve the problem and we could just call:

dpkg-maintscript-helper mv_conffile \
 /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"

without any guard at all.

Revision history for this message
Neil Wilson (neil-aldur) wrote : Posted in a previous version of this proposal

OK, gone for a slightly different approach now.

The mv_conffile only applies to natty and older packages - which have no rules.v4 file at all. So we don't have to worry about whether it gets clobbered or not.

So if the old file exists I create a new rules.v4 file if that doesn't already exist (bit belt and braces but safest).

Then after the move I clear up empty dpkg-new files - which has the added advantage of clearing up after the empty files left by 'oneiric' upgrades from 'natty' at the same time.

I've given this a test on a natty to oneiric to precise upgrade, and the lucid to precise upgrade (and a natty to precise backport upgrade) and it appears to do what I'd expect from each starting state.

Revision history for this message
Chow Loong Jin (hyperair) wrote : Posted in a previous version of this proposal

I'm not sure [ ! -e /etc/iptables/rules -o -e /etc/iptables/rules.v4 ] is correct. Why do we need to touch /etc/iptables/rules.v4 if it already exists?

Also, I don't really like the idea of automatically removing the rules.v4.dpkg-new file, even if it is empty. I feel that the .dpkg-new and .dpkg-old files are the domain of the administrator, and should not be touched by scripts.

Revision history for this message
Neil Wilson (neil-aldur) wrote : Posted in a previous version of this proposal

On 19 April 2012 12:53, Chow Loong Jin <email address hidden> wrote:
> I'm not sure [ ! -e /etc/iptables/rules -o -e /etc/iptables/rules.v4 ] is correct. Why do we need to touch /etc/iptables/rules.v4 if it already exists?
>
> Also, I don't really like the idea of automatically removing the rules.v4.dpkg-new file, even if it is empty. I feel that the .dpkg-new and .dpkg-old files are the domain of the administrator, and should not be touched by scripts.
> --
> https://code.launchpad.net/~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517/+merge/100652
> You are the owner of lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517.

Read the code carefully. It's an || after the test. That's the
condition for *not* touching the file.

And as I said, I've tested this, and it works.

Debian disagree with you. The empty dpkg-new files and the alterations
it put in place in this package is what caused all the fun in the
first place.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612278

--
Neil Wilson

lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517 updated
14. By Neil Wilson

Stop using 'dpkg-maintscript-helper' for configuration files (LP: #967018)

Revision history for this message
Neil Wilson (neil-aldur) wrote :

Based on the discussion around the maintainer script it appears that it really isn't designed to handle 'configuration files'.

So this version strips the lot and goes for the simple solution.

Revision history for this message
Chow Loong Jin (hyperair) wrote :

On 19/04/2012 23:26, Neil Wilson wrote:
> Based on the discussion around the maintainer script it appears that it
> really isn't designed to handle 'configuration files'.
>
> So this version strips the lot and goes for the simple solution.

I think was better one commit ago. See http://wiki.debian.org/DpkgConffileHandling.

--
Kind regards,
Loong Jin

Revision history for this message
Neil Wilson (neil-aldur) wrote :

That's the point.

It's a *configuration file*, not a conffile.

http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files

Revision history for this message
Neil Wilson (neil-aldur) wrote :

See https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/985508/comments/6

Revision history for this message
Chow Loong Jin (hyperair) wrote :

On 19/04/2012 23:41, Chow Loong Jin wrote:
> On 19/04/2012 23:26, Neil Wilson wrote:
>> Based on the discussion around the maintainer script it appears that it
>> really isn't designed to handle 'configuration files'.
>>
>> So this version strips the lot and goes for the simple solution.
>
> I think was better one commit ago. See http://wiki.debian.org/DpkgConffileHandling.
>
 Okay, I just found https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/985508.
It's true that it's not a conffile, but on the other hand, I think it should be
treated somewhat like a conffile, at least with respect to the suffix used.

Either way, at this point, I think the situation gets a little messy and you
should probably discuss this with the maintainer of this package on the Debian
side of things: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665813

--
Kind regards,
Loong Jin

lp:~neil-aldur/ubuntu/precise/iptables-persistent/fix-for-967018-905517 updated
15. By Neil Wilson

Change backup name to be consistent with dpkg-mainthelper-script

Check is unlikely to be called in normal usage anyway.

Revision history for this message
Chow Loong Jin (hyperair) wrote :

Looks good, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2012-02-13 16:13:28 +0000
3+++ debian/changelog 2012-04-19 16:13:19 +0000
4@@ -1,3 +1,10 @@
5+iptables-persistent (0.5.3ubuntu2) precise; urgency=low
6+
7+ * debian/rules: add missing '.' (LP: #920055)
8+ * Stop using 'dpkg-maintscript-helper' for configuration files (LP: #967018)
9+
10+ -- Neil Wilson <neil@aldur.co.uk> Tue, 03 Apr 2012 17:57:01 +0100
11+
12 iptables-persistent (0.5.3ubuntu1) precise; urgency=low
13
14 * Pre-Depend on a sufficient version of dpkg rather than using
15
16=== modified file 'debian/iptables-persistent.postinst'
17--- debian/iptables-persistent.postinst 2012-02-13 16:13:28 +0000
18+++ debian/iptables-persistent.postinst 2012-04-19 16:13:19 +0000
19@@ -5,9 +5,6 @@
20 # Source debconf library
21 . /usr/share/debconf/confmodule
22
23-dpkg-maintscript-helper mv_conffile \
24- /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
25-
26 case "$1" in
27 configure)
28 db_get iptables-persistent/autosave_done || true
29
30=== modified file 'debian/iptables-persistent.postrm'
31--- debian/iptables-persistent.postrm 2012-02-13 16:13:28 +0000
32+++ debian/iptables-persistent.postrm 2012-04-19 16:13:19 +0000
33@@ -2,14 +2,11 @@
34
35 set -e
36
37-dpkg-maintscript-helper mv_conffile \
38- /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
39-
40 case "$1" in
41 purge)
42 rm -rf /etc/iptables/rules \
43- /etc/iptables/rules.v4 \
44- /etc/iptables/rules.v6
45+ /etc/iptables/rules.v4* \
46+ /etc/iptables/rules.v6*
47 ;;
48 esac
49
50
51=== modified file 'debian/iptables-persistent.preinst'
52--- debian/iptables-persistent.preinst 2012-02-13 16:13:28 +0000
53+++ debian/iptables-persistent.preinst 2012-04-19 16:13:19 +0000
54@@ -2,7 +2,12 @@
55
56 set -e
57
58-dpkg-maintscript-helper mv_conffile \
59- /etc/iptables/rules /etc/iptables/rules.v4 0.0.20101230 -- "$@"
60+if [ -e /etc/iptables/rules ]; then
61+ if [ -e /etc/iptables/rules.v4 ]; then
62+ mv -f /etc/iptables/rules /etc/iptables/rules.v4.dpkg-bak
63+ else
64+ mv -f /etc/iptables/rules /etc/iptables/rules.v4
65+ fi
66+fi
67
68 #DEBHELPER#
69
70=== modified file 'debian/rules'
71--- debian/rules 2011-11-28 23:19:39 +0000
72+++ debian/rules 2012-04-19 16:13:19 +0000
73@@ -1,7 +1,7 @@
74 #!/usr/bin/make -f
75
76 override_dh_installinit:
77- dh_installinit -- start 37 2 3 4 5 . stop 37 0 1 6
78+ dh_installinit -- start 37 2 3 4 5 . stop 37 0 1 6 .
79
80 %:
81 dh $@

Subscribers

People subscribed via source and target branches

to all changes: