portmaster icon indicating copy to clipboard operation
portmaster copied to clipboard
verified publisher icon safing

Linux systemd unit contains incorrect syntax in ExecStopPost (`-recover-iptables`)

Open myndzi opened this issue 5 months ago • 1 comments

What happened: I was viewing journald logs while trying to make Wireguard work (figuring out how to restart portmaster when the VPN interface comes up, a la https://github.com/safing/portmaster/issues/292) and noticed this:

portmaster-core[40516]: Error: unknown shorthand flag: 'r' in -recover-iptables
portmaster-core[40516]: Usage:
portmaster-core[40516]:   portmaster-core [flags]
portmaster-core[40516]:   portmaster-core [command]
portmaster-core[40516]: Available Commands:
portmaster-core[40516]:   completion       Generate the autocompletion script for the specified shell
portmaster-core[40516]:   help             Help about any command
portmaster-core[40516]:   recover-iptables Clean up Portmaster rules in iptables
portmaster-core[40516]:   update           Force an update of all components.
portmaster-core[40516]:   version          Show version and related metadata.

A little searching brought me to this unit file: https://github.com/safing/portmaster/blob/6288056dc6fcf5318641b1566a5627c55b5f44f3/packaging/linux/portmaster.service#L40

It seems likely that the portmaster-core binary changed its argument handling from the stock Go arg parsing at some point, but this unit was not updated to the new syntax.

To verify, I hand-edited it to remove the leading hyphen and triggered a restart, and sure enough that fixed the CLI error. However, now that it correctly runs the recover-iptables command, it instead spams more errors:

portmaster-core[45012]: Error: 10 errors occurred:
portmaster-core[45012]:         * running [/usr/bin/iptables -t mangle -C OUTPUT -j PORTMASTER-INGEST-OUTPUT --wait]: exit status 2: iptables v1.8.11 (nf_tables): Chain 'PORTMASTER-INGEST-OUTPUT' does not exist
portmaster-core[45012]:         * running [/usr/bin/iptables -t mangle -C INPUT -j PORTMASTER-INGEST-INPUT --wait]: exit status 2: iptables v1.8.11 (nf_tables): Chain 'PORTMASTER-INGEST-INPUT' does not exist
portmaster-core[45012]:         * running [/usr/bin/iptables -t filter -C OUTPUT -j PORTMASTER-FILTER --wait]: exit status 2: iptables v1.8.11 (nf_tables): Chain 'PORTMASTER-FILTER' does not exist
portmaster-core[45012]:         * running [/usr/bin/iptables -t filter -C INPUT -j PORTMASTER-FILTER --wait]: exit status 2: iptables v1.8.11 (nf_tables): Chain 'PORTMASTER-FILTER' does not exist
portmaster-core[45012]:         * running [/usr/bin/iptables -t nat -C OUTPUT -j PORTMASTER-REDIRECT --wait]: exit status 2: iptables v1.8.11 (nf_tables): Chain 'PORTMASTER-REDIRECT' does not exist
portmaster-core[45012]:         * running [/usr/bin/ip6tables -t mangle -C OUTPUT -j PORTMASTER-INGEST-OUTPUT --wait]: exit status 2: ip6tables v1.8.11 (nf_tables): Chain 'PORTMASTER-INGEST-OUTPUT' does not exist
portmaster-core[45012]:         * running [/usr/bin/ip6tables -t mangle -C INPUT -j PORTMASTER-INGEST-INPUT --wait]: exit status 2: ip6tables v1.8.11 (nf_tables): Chain 'PORTMASTER-INGEST-INPUT' does not exist
portmaster-core[45012]:         * running [/usr/bin/ip6tables -t filter -C OUTPUT -j PORTMASTER-FILTER --wait]: exit status 2: ip6tables v1.8.11 (nf_tables): Chain 'PORTMASTER-FILTER' does not exist
portmaster-core[45012]:         * running [/usr/bin/ip6tables -t filter -C INPUT -j PORTMASTER-FILTER --wait]: exit status 2: ip6tables v1.8.11 (nf_tables): Chain 'PORTMASTER-FILTER' does not exist
portmaster-core[45012]:         * running [/usr/bin/ip6tables -t nat -C OUTPUT -j PORTMASTER-REDIRECT --wait]: exit status 2: ip6tables v1.8.11 (nf_tables): Chain 'PORTMASTER-REDIRECT' does not exist

I'm on fairly vanilla Fedora 42. I removed firewalld in favor of portmaster, but I don't think that matters here(?)

It seems relatively harmless that the chains it is trying to remove don't exist, but it would be a bonus to silence the log noise if that's true.

What did you expect to happen?: The unit that ships with the installation package behaves gracefully

How did you reproduce it?: systemctl restart portmaster

Debug Information: n/a

myndzi avatar Jul 29 '25 23:07 myndzi

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

  • 🗣️ Our community on Discord is super helpful and active. We also have an AI-enabled support bot that knows Portmaster well and can give you immediate help.
  • 📖 The Wiki answers all common questions and has many important details. If you can't find an answer there, let us know, so we can add anything that's missing.

github-actions[bot] avatar Jul 29 '25 23:07 github-actions[bot]

https://github.com/safing/portmaster/releases/tag/v2.1.7

stenya avatar Dec 17 '25 12:12 stenya