From dc61b17db361a709beeb29a57264d63d3381746e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 3 Sep 2019 15:23:06 +0100 Subject: [PATCH] Use iptables-legacy on older kernel versions Use iptables-legacy rather than iptables when running on older (pre-4.15) kernel versions. The newer nf_tables-based tools misbehave at least on 4.4. --- debian/changelog | 8 ++++++++ live-build/auto/build | 34 ++++++++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5229ac44..2b0a3a8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +livecd-rootfs (2.608) UNRELEASED; urgency=medium + + * Use iptables-legacy rather than iptables when running on older + (pre-4.15) kernel versions. The newer nf_tables-based tools misbehave + at least on 4.4. + + -- Colin Watson Tue, 03 Sep 2019 15:20:59 +0100 + livecd-rootfs (2.607) eoan; urgency=medium * snap seeding: Defer validation for regular image builds. When getting the diff --git a/live-build/auto/build b/live-build/auto/build index a625c336..5606dfcc 100755 --- a/live-build/auto/build +++ b/live-build/auto/build @@ -17,6 +17,32 @@ fi . config/functions +# New nf_tables-based versions of iptables don't work well on old kernels. +# We aren't sure exactly how old is a problem: 4.15 works, but with 4.4 new +# rules are added to all chains in the requested table rather than just one, +# and the new rules seem to have no useful effect. In such cases, +# iptables-legacy works better. +# +# We can simplify this once livecd-rootfs no longer needs to support running +# on Ubuntu 16.04 (that is, once Launchpad's build VMs are upgraded to +# Ubuntu 18.04). +run_iptables () { + local kver kver_major kver_minor + + kver="$(uname -r)" + kver="${kver%%-*}" + kver_major="${kver%%.*}" + kver="${kver#*.}" + kver_minor="${kver%%.*}" + + if [ "$kver_major" -lt 4 ] || \ + ([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then + iptables-legacy "$@" + else + iptables "$@" + fi +} + if [ -n "$REPO_SNAPSHOT_STAMP" ]; then if [ "`whoami`" != "root" ]; then echo "Magic repo snapshots only work when running as root." >&2 @@ -26,8 +52,8 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then apt-get -qyy install iptables # Redirect all outgoing traffic to port 80 to proxy instead. - iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ - -j REDIRECT --to 8080 + run_iptables -t nat -A OUTPUT -p tcp --dport 80 \ + -m owner ! --uid-owner daemon -j REDIRECT --to 8080 # Run proxy as "daemon" to avoid infinite loop. /usr/share/livecd-rootfs/magic-proxy \ @@ -871,8 +897,8 @@ if [ -f "config/magic-proxy.pid" ]; then rm -f config/magic-proxy.pid # Remove previously-inserted iptables rule. - iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ - -j REDIRECT --to 8080 + run_iptables -t nat -D OUTPUT -p tcp --dport 80 \ + -m owner ! --uid-owner daemon -j REDIRECT --to 8080 fi case $PROJECT in