:: Re: [DNG] iptables at risk when upr…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: James Cloos
Date:  
À: Hendrik Boom
CC: dng
Sujet: Re: [DNG] iptables at risk when uprgading?
>>>>> "HB" == Hendrik Boom <hendrik@???> writes:

HB> Does this mean that the upgrade from ascii to beowulf is not transparent
HB> and that I risk losing the iptables on my front-end machine when I do it?


Save the tables with iptables-save and ip6tables-save before upgrading
and try restoring them with iptables-restore and ip6tables-restore after
upgrading.

Or, save before and then, after the upgrade, run:

########################################
#!/bin/sh
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
########################################

and then restore them with iptables-restore and ip6tables-restore.

If you do not have arptables and ebtables installed, those two
lines will report errors, but it won't hurt anything.

After the upgrade, /usr/sbin/iptables will be a symlink to
/etc/alternatives/iptables. After the update-alternatives calls,
/etc/alternatives/iptables will be a symlink to
/usr/sbin/iptables-legacy, so you won't then have to edit any callers.

Symlinks exist like that also for ip6tables, each's -save and -restore
as well as {arp,eb}tables.

Displaimer: not my work; someone posted the u-a calls on debian-devel
a few weeks ago.

I use it on some kvm and openvz which do not work well with nftables or
the nftable-using iptables. They got filtering working again for me.

-JimC
-- 
James Cloos <cloos@???>         OpenPGP: 0x997A9F17ED7DAEA6