ufw

ufw:release/0.35

Git
lp:ufw
release/0.35

Last commit made on 2021-09-19

Get this branch:: git clone -b release/0.35 https://git.launchpad.net/ufw

Only Jamie Strandboge can upload to this branch. If you are Jamie Strandboge please log in for upload directions.

Branch merges

Branch information

Name:: release/0.35

Repository:: lp:ufw

Recent commits

2bc8b48... by Jamie Strandboge on 2021-09-19

release 0.35.1

48accfe... by Jamie Strandboge on 2021-09-19

src/backend_iptables.py: unconditionally reload with delete. LP: #1933117

ufw delete can confuse protocol-specific rule with otherwise matching
'proto any' rule. Consider:

  # ufw allow from 1.1.1.1 port 2222 proto tcp # rule 1
  # ufw allow from 2.2.2.2 port 3333 proto tcp # rule 2
  # ufw allow from 1.1.1.1 port 2222 # rule 3

In this case the loaded firewall will have:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT udp -- 1.1.1.1 0.0.0.0/0 udp spt:2222

If we delete the 3rd rule:

  # ufw delete 3
  Deleting:
   allow from 1.1.1.1 port 2222
  Proceed with operation (y|n)? y
  Rule deleted

then ufw updates the running firewall with 'iptables -D', such that the
loaded firewall is out of order and ends up having:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222

Instead of using 'iptables -D' to delete the rule from the running
firewall, instead reload the user chains so we get the proper rule order
in the running firewall:

TODO: we only need to reload on delete when there are overlapping
proto-specific and 'proto any' rules, so a future optimization could
check for this and go back to using 'iptables -D' when there are no
overlaps.

07f08b6... by Jamie Strandboge on 2016-10-25