Comment 2 for bug 1933117
Revision history for this message
| Jamie Strandboge (jdstrand) wrote Re: ufw deletes entries in wrong order | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Thank you for filing a bug.
Note that 1.1.1.1/26 and 1.2.3.4/26 are normalized to 1.1.1.0/26 and 1.2.3.0/26, respectively. They don't overlap so they are still different from each other.
I can confirm the bug. In reproducing this with ufw disabled (ie, it will update rules files but not the firewall itself), I see that,
# ufw insert 1 allow from 1.1.1.1/26 to any port 22 # res. rule 2
# ufw insert 2 allow from 1.2.3.4/26 to any port 22 # res. rule 3
# ufw insert 1 allow from 1.2.3.4/26 to any port 22 proto tcp # res. rule 1
# cat /etc/ufw/user.rules
...
### RULES ###
### tuple ### allow tcp 22 0.0.0.0/0 any 1.2.3.0/26 in
-A ufw-user-input -p tcp --dport 22 -s 1.2.3.0/26 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 1.1.1.0/26 in
-A ufw-user-input -p tcp --dport 22 -s 1.1.1.0/26 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 1.1.1.0/26 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 1.2.3.0/26 in
-A ufw-user-input -p tcp --dport 22 -s 1.2.3.0/26 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 1.2.3.0/26 -j ACCEPT
...
This shows the initial insert is correct.
Running 'ufw delete 3', I see:
# sudo ufw delete 3
Deleting:
allow from 1.2.3.0/26 to any port 22
Proceed with operation (y|n)? y
Rules updated
This show the correct rule was selected.
# cat /etc/ufw/user.rules
...
### RULES ###
### tuple ### allow tcp 22 0.0.0.0/0 any 1.2.3.0/26 in
-A ufw-user-input -p tcp --dport 22 -s 1.2.3.0/26 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 1.1.1.0/26 in
-A ufw-user-input -p tcp --dport 22 -s 1.1.1.0/26 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 1.1.1.0/26 -j ACCEPT
...
This show the correct rule was removed from the file.
Now, after purging ufw from the system and reinstalling it (to ensure none of the changes are there), adding one rule (so inserts work) and enabling, I see:
# ufw insert 1 allow from 1.1.1.1/26 to any port 22
# ufw insert 2 allow from 1.2.3.4/26 to any port 22
# ufw insert 1 allow from 1.2.3.4/26 to any port 22 proto tcp
# iptables -L ufw-user-input -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 1.1.1.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.1.1.0/26 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.2.3.0/26 0.0.0.0/0 udp dpt:22
So the rules are in the correct order (but we can see where the problem will come in).
# ufw delete 3
Deleting:
allow from 1.2.3.0/26 to any port 22
Proceed with operation (y|n)? y
Rule deleted
# iptables -L ufw-user-input -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.1.1.0/26 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 1.1.1.0/26 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 1.2.3.0/26 0.0.0.0/0 tcp dpt:22
Which demonstrates the problem, while the ufw rules files are correct, ufw removed the first matching tcp and udp rules in the firewall, which ended up deleting the wrong tcp rule. As mentioned, this is corrected after a reload or reboot.
I don't think this bug should be private. I'll leave it as security as while I consider this a 'normal' bug, there could be security implications until reboot/reload.