iptable_filter and ip6table_filter do not auto load

Bug #1496419 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
High
John Lenton
ubuntu-core-config (Ubuntu)
Fix Released
High
Oliver Grawert

Bug Description

If running a snap with custom confinement that is allowed to manipulate netfilter, iptable_filter and ip6table_filter are not loaded in the kernel and do not autoload (and we don't want to allow module loading for the snap). This can be tested by using 'iptables -L -n' or 'ip6tables -L -n' under confinement. Once they are loaded, other netfilter modules seem to autoload correctly. This bug could be solved in a number of ways:
- make sure iptable_filter and ip6table_filter are loaded on boot
- adjust iptable_filter and ip6table_filter to autoload
- adjust the documentation to require the new snappy config mechanism for loading iptable_filter and ip6tables_filter for a firewall snap

Related branches

Revision history for this message
Oliver Grawert (ogra) wrote :

seems to need /etc/modules-load.d dir in writable-paths in ubuntu-core-config

Oliver Grawert (ogra)
Changed in ubuntu-core-config (Ubuntu):
assignee: nobody → Oliver Grawert (ogra)
importance: Undecided → High
status: New → Confirmed
John Lenton (chipaca)
Changed in snappy:
status: New → In Progress
importance: Undecided → High
assignee: nobody → John Lenton (chipaca)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-config - 0.6.30

---------------
ubuntu-core-config (0.6.30) wily; urgency=medium

  * add /etc/modules-load.d to writable dirs (LP: #1496419)

 -- Oliver Grawert <email address hidden> Tue, 20 Oct 2015 13:47:06 +0200

Changed in ubuntu-core-config (Ubuntu):
status: Confirmed → Fix Released
Changed in snappy:
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This all works in r10 with the 'load-kernel-modules' option in 'snappy config ubuntu-core'. Eg, I used:
config:
  ubuntu-core:
    ...
    load-kernel-modules: [ iptable_filter, ip6table_filter ]
    ...

Thanks!

Changed in snappy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.