From c743e671dad7a36871b6ab8e061e4200e64a4f54 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Mon, 24 Jun 2019 20:36:09 +0200
Subject: [PATCH 1/1] pve-firewall.service: update-alternative ip-/eb- tables
 to legacy versions

This is rather a bit of an hack but works for us for now.

we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.

[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 debian/pve-firewall.service | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service
index 63fc57f..f95ce6d 100644
--- a/debian/pve-firewall.service
+++ b/debian/pve-firewall.service
@@ -8,6 +8,9 @@ Before=shutdown.target
 Conflicts=shutdown.target
 
 [Service]
+ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 ExecStart=/usr/sbin/pve-firewall start
 ExecStop=/usr/sbin/pve-firewall stop
 ExecReload=/usr/sbin/pve-firewall restart
-- 
2.39.2