pve-firewall.service: update-alternative ip-/eb- tables to legacy versions

This is rather a bit of an hack but works for us for now.

we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.

[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service
index 63fc57fa195d09260014e1b61c6782b44783ae2d..f95ce6d6589bf4c9e68956134d8d2e013aa8626c 100644 (file)
--- a/debian/pve-firewall.service
+++ b/debian/pve-firewall.service
@@ -8,6 +8,9 @@ Before=shutdown.target
 Conflicts=shutdown.target
 
 [Service]
+ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 ExecStart=/usr/sbin/pve-firewall start
 ExecStop=/usr/sbin/pve-firewall stop
 ExecReload=/usr/sbin/pve-firewall restart