ufw

lp:ufw

Created by Jamie Strandboge and last modified
Get this branch:
bzr branch lp:ufw

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Jamie Strandboge
Project:
ufw
Status:
Development

Import details

Import Status: Reviewed

This branch is an import of the HEAD branch of the Git repository at https://git.launchpad.net/ufw.

The next import is scheduled to run .

Last successful import was .

Import started on juju-1e3bde-prod-lp-code-import-17 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-14 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-13 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-13 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 20 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-17 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 15 seconds — see the log

Recent revisions

1131. By Jamie Strandboge

src/ufw-init-functions: add another default policy comment

1130. By Jamie Strandboge

update ChangeLog for last commit

1129. By Mauricio Faria de Oliveira

src/ufw-init-functions: set default policy after loading rules

If default input policy of DROP (default setting in ufw) is set
before loading rules to allow a network root filesystem to work,
it freezes before loading them, and the boot process stalls.

Just set default policy after loading rules, as the snippet for
ip[6]tables-restore has -n/--noflush, which doesn't flush other
rules in the builtin chains.

The output of iptables -L is identical before/after.

https://bugs.launchpad.net/bugs/1946804

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

1128. By Jamie Strandboge

tests/check-requirements: revert 29c210e5 (too lenient) and update for 3.9

For a distribution it is arguably ok to modify this script for arbitrary
python versions but as an upstream it represents what it has been tested
against.

1127. By Jamie Strandboge

AUTHORS,setup.py: use updated email address

1126. By Jamie Strandboge

tests/check-requirements: ix python version check for Python >= 3.9

Patch thanks to Matthias Klose <email address hidden>

References:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975912

1125. By Jamie Strandboge

src/ufw: adjust version year

1124. By Jamie Strandboge

update man pages for newer dates and remove email address

1123. By Jamie Strandboge

src/backend_iptables.py: unconditionally reload with delete. LP: #1933117

ufw delete can confuse protocol-specific rule with otherwise matching
'proto any' rule. Consider:

  # ufw allow from 1.1.1.1 port 2222 proto tcp # rule 1
  # ufw allow from 2.2.2.2 port 3333 proto tcp # rule 2
  # ufw allow from 1.1.1.1 port 2222 # rule 3

In this case the loaded firewall will have:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT udp -- 1.1.1.1 0.0.0.0/0 udp spt:2222

If we delete the 3rd rule:

  # ufw delete 3
  Deleting:
   allow from 1.1.1.1 port 2222
  Proceed with operation (y|n)? y
  Rule deleted

then ufw updates the running firewall with 'iptables -D', such that the
loaded firewall is out of order and ends up having:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222

Instead of using 'iptables -D' to delete the rule from the running
firewall, instead reload the user chains so we get the proper rule order
in the running firewall:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333

TODO: we only need to reload on delete when there are overlapping
proto-specific and 'proto any' rules, so a future optimization could
check for this and go back to using 'iptables -D' when there are no
overlaps.

1122. By Jamie Strandboge

doc/ufw.8: insert/prepend can't be used to update comments. LP: #1927737

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers