pS Toolkit 4.4.5-1: Debian: perfsonar-toolkit-security: results in INVALID_ZONE for FW
Closed this issue · 5 comments
Hi guys,
Here is the diagnostics for it and the way to reproduce it.
The result is in the end
pi@raspberrypi:~ $ sudo firewall-cmd --list-ports
22/tcp
pi@raspberrypi:~ $ dpkg -l | grep perfsonar-toolkit-security
ii perfsonar-toolkit-security 4.4.5-1 all perfSONAR Toolkit firewall configuration
pi@raspberrypi:~ $ sudo apt remove perfsonar-toolkit-security
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
fail2ban firewalld ipset libipset11 python-colorzero python3-decorator python3-selinux python3-slip python3-slip-dbus python3-systemd rpi-eeprom-images
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
perfsonar-toolkit-security
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 38.9 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 117012 files and directories currently installed.)
Removing perfsonar-toolkit-security (4.4.5-1) ...
pi@raspberrypi:~ $ sudo firewall-cmd --list-ports
22/tcp
pi@raspberrypi:~ $ sudo reboot
Authenticating with public key "imported-openssh-key" from agent
Linux raspberrypi 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 26 11:59:25 2022 from 79.250.129.24
pi@raspberrypi:/home/pi $ sudo firewall-cmd --list-ports
22/tcp
pi@raspberrypi:/home/pi $ dpkg -l | grep perfsonar-toolkit-security
rc perfsonar-toolkit-security 4.4.5-1 all perfSONAR Toolkit firewall configuration
pi@raspberrypi:/home/pi $ sudo apt purge perfsonar-toolkit-security
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
fail2ban firewalld ipset libipset11 python-colorzero python3-decorator python3-selinux python3-slip python3-slip-dbus python3-systemd rpi-eeprom-images
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
perfsonar-toolkit-security*
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
(Reading database ... 117004 files and directories currently installed.)
Purging configuration files for perfsonar-toolkit-security (4.4.5-1) ...
pi@raspberrypi:/home/pi $
pi@raspberrypi:/home/pi $ sudo firewall-cmd --list-ports
22/tcp
pi@raspberrypi:/home/pi $ dpkg -l | grep perfsonar-toolkit-security
pi@raspberrypi:/home/pi $ sudo apt install perfsonar-toolkit-security
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
python-colorzero rpi-eeprom-images
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
perfsonar-toolkit-security
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 6,972 B of archives.
After this operation, 38.9 kB of additional disk space will be used.
Get:1 http://downloads.perfsonar.net/debian perfsonar-release/main armhf perfsonar-toolkit-security all 4.4.5-1 [6,972 B]
Fetched 6,972 B in 2s (3,571 B/s)
Selecting previously unselected package perfsonar-toolkit-security.
(Reading database ... 117002 files and directories currently installed.)
Preparing to unpack .../perfsonar-toolkit-security_4.4.5-1_all.deb ...
Unpacking perfsonar-toolkit-security (4.4.5-1) ...
Setting up perfsonar-toolkit-security (4.4.5-1) ...
Adding perfSONAR firewall rules
pi@raspberrypi:/home/pi $ sudo firewall-cmd --list-ports
Error: INVALID_ZONE
This is running on Raspbian which is derived from Debian 10. We should try to replicate and see if the behavior is the same with Debian 10 or if it's only with Raspbian.
This might be related to this report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
Installing iptables 1.8.5 on Raspbian did solve this issue. We need to test if a regular Buster install is also affected and then either find a way to bring in the correct dependency (by providing it in our repository?) or add it as a FAQ entry.
The alternative approach would be to switch back the FW management to the old style with iptables using this:
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
This had been tested with a clean Debian10 deployment and perfSONAR latest stable
Newer versions of Debian and Ubuntu are relying on nf_tables instead of iptables. AFAICT our rules are working fine under D11, D12, U20 and U22.