ufw

ufw:release/0.36

Last commit made on 2021-11-02
Get this branch:
git clone -b release/0.36 https://git.launchpad.net/ufw
Only Jamie Strandboge can upload to this branch. If you are Jamie Strandboge please log in for upload directions.

Branch merges

Branch information

Name:
release/0.36
Repository:
lp:ufw

Recent commits

e20db88... by Jamie Strandboge

systemd.example: remove DefaultDependencies=no

The systemd unit has historically always used DefaultDependencies=no.
When only Before=network.target was used, the dependencies (as seen with
'systemctl list-dependencies ufw.service') were:

ufw.service
 |_system.slice

When Before=network.target was changed to Before=network-pre.target and
Wants=network-pre.target, this became:

ufw.service
 |_system.slice
 |_network-pre.target

Removing DefaultDependencies=no (DefaultDependencies defaults to 'yes')
pulls in the sysinit.target which changes this to (on a Debian 11
system):

ufw.service
 |_system.slice
 |_network-pre.target
 |_sysinit.target
   |_apparmor.service
   |_blk-availability.service
   |_dev-hugepages.mount
   |_dev-mqueue.mount
   |_keyboard-setup.service
   |_kmod-static-nodes.service
   |_lvm2-lvmpolld.socket
   |_lvm2-monitor.service
   |_proc-sys-fs-binfmt_misc.automount
   |_sys-fs-fuse-connections.mount
   |_sys-kernel-config.mount
   |_sys-kernel-debug.mount
   |_sys-kernel-tracing.mount
   |_systemd-ask-password-console.path
   |_systemd-binfmt.service
   |_systemd-boot-system-token.service
   |_systemd-hwdb-update.service
   |_systemd-journal-flush.service
   |_systemd-journald.service
   |_systemd-machine-id-commit.service
   |_systemd-modules-load.service
   |_systemd-pstore.service
   |_systemd-random-seed.service
   |_systemd-sysctl.service
   |_systemd-sysusers.service
   |_systemd-timesyncd.service
   |_systemd-tmpfiles-setup-dev.service
   |_systemd-tmpfiles-setup.service
   |_systemd-udev-trigger.service
   |_systemd-udevd.service
   |_systemd-update-utmp.service
   |_cryptsetup.target
     |_systemd-cryptsetup@vda5_crypt.service
   |_local-fs.target
     |_-.mount
     |_boot.mount
     |_systemd-fsck-root.service
     |_systemd-remount-fs.service
   |_swap.target
     |_dev-mapper-debian\x2d\x2dbuster\x2d\x2damd64\x2d\x2dvg\x2dswap_1.swap

While ufw is meant to come up before networking, there is no reason why
it shouldn't come up after 'basic system initialization is
completed'[1]. This should help make ufw startup more robust on systems
that need something from sysinit.

[1]https://www.freedesktop.org/software/systemd/man/systemd.unit.html

a98a617... by Jamie Strandboge

systemd.example: add Conflicts on various firewall software

Problems with ufw start most often have to do with other firewall
software getting in the way. Take a page from firewalld's systemd unit
and add a Conflicts on iptables, ip6tables, nftables and firewalld

aa375e9... by Jamie Strandboge

systemd.example: add Documentation and put Before before Wants (cosmetic)

a0a5ed9... by Jamie Strandboge

src/ufw-init-functions: add another default policy comment

900f5eb... by Jamie Strandboge

update ChangeLog for last commit

c743cc1... by Mauricio Faria de Oliveira

src/ufw-init-functions: set default policy after loading rules

If default input policy of DROP (default setting in ufw) is set
before loading rules to allow a network root filesystem to work,
it freezes before loading them, and the boot process stalls.

Just set default policy after loading rules, as the snippet for
ip[6]tables-restore has -n/--noflush, which doesn't flush other
rules in the builtin chains.

The output of iptables -L is identical before/after.

https://bugs.launchpad.net/bugs/1946804

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

d857d50... by Jamie Strandboge

src/ufw: update copyright year

8108e8d... by Jamie Strandboge

ChangeLog,setup.py,snapcraft.yaml: rev to 0.36.2

c5bab50... by Jamie Strandboge

release 0.36.1

6eb539b... by Jamie Strandboge

update man pages for newer dates and remove email address