Use iptables-legacy on older kernel versions

Use iptables-legacy rather than iptables when running on older
(pre-4.15) kernel versions.  The newer nf_tables-based tools misbehave
at least on 4.4.
amd64-kernel-on-i386
Colin Watson 5 years ago
parent bf6d8253ea
commit dc61b17db3

8
debian/changelog vendored

@ -1,3 +1,11 @@
livecd-rootfs (2.608) UNRELEASED; urgency=medium
* Use iptables-legacy rather than iptables when running on older
(pre-4.15) kernel versions. The newer nf_tables-based tools misbehave
at least on 4.4.
-- Colin Watson <cjwatson@ubuntu.com> Tue, 03 Sep 2019 15:20:59 +0100
livecd-rootfs (2.607) eoan; urgency=medium livecd-rootfs (2.607) eoan; urgency=medium
* snap seeding: Defer validation for regular image builds. When getting the * snap seeding: Defer validation for regular image builds. When getting the

@ -17,6 +17,32 @@ fi
. config/functions . config/functions
# New nf_tables-based versions of iptables don't work well on old kernels.
# We aren't sure exactly how old is a problem: 4.15 works, but with 4.4 new
# rules are added to all chains in the requested table rather than just one,
# and the new rules seem to have no useful effect. In such cases,
# iptables-legacy works better.
#
# We can simplify this once livecd-rootfs no longer needs to support running
# on Ubuntu 16.04 (that is, once Launchpad's build VMs are upgraded to
# Ubuntu 18.04).
run_iptables () {
local kver kver_major kver_minor
kver="$(uname -r)"
kver="${kver%%-*}"
kver_major="${kver%%.*}"
kver="${kver#*.}"
kver_minor="${kver%%.*}"
if [ "$kver_major" -lt 4 ] || \
([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then
iptables-legacy "$@"
else
iptables "$@"
fi
}
if [ -n "$REPO_SNAPSHOT_STAMP" ]; then if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
if [ "`whoami`" != "root" ]; then if [ "`whoami`" != "root" ]; then
echo "Magic repo snapshots only work when running as root." >&2 echo "Magic repo snapshots only work when running as root." >&2
@ -26,8 +52,8 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
apt-get -qyy install iptables apt-get -qyy install iptables
# Redirect all outgoing traffic to port 80 to proxy instead. # Redirect all outgoing traffic to port 80 to proxy instead.
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ run_iptables -t nat -A OUTPUT -p tcp --dport 80 \
-j REDIRECT --to 8080 -m owner ! --uid-owner daemon -j REDIRECT --to 8080
# Run proxy as "daemon" to avoid infinite loop. # Run proxy as "daemon" to avoid infinite loop.
/usr/share/livecd-rootfs/magic-proxy \ /usr/share/livecd-rootfs/magic-proxy \
@ -871,8 +897,8 @@ if [ -f "config/magic-proxy.pid" ]; then
rm -f config/magic-proxy.pid rm -f config/magic-proxy.pid
# Remove previously-inserted iptables rule. # Remove previously-inserted iptables rule.
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ run_iptables -t nat -D OUTPUT -p tcp --dport 80 \
-j REDIRECT --to 8080 -m owner ! --uid-owner daemon -j REDIRECT --to 8080
fi fi
case $PROJECT in case $PROJECT in

Loading…
Cancel
Save