ufw

Merge ~mfo/ufw:lp1946804 into ufw:master

  1. Git
  2. lp:~mfo/ufw
  3. lp1946804
  4. Merge into master
Proposed by Mauricio Faria de Oliveira
Status: Merged
Merged at revision: 4d25bd6635a493ae10c1984bfe16fb31e3903198
Proposed branch: ~mfo/ufw:lp1946804
Merge into: ufw:master
Diff against target: 66 lines (+25/-23)
1 file modified
src/ufw-init-functions (+25/-23)
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+410091@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

The comparison of `iptables -L` before/after shows no differences (verified on a local rootfs).

`run_tests.sh` has 0 skipped/errors.

------------------------
Functional tests summary
------------------------
Attempted: 22 (3339 individual tests)
Skipped: 0
Errors: 0

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm away from my computer, but this looks ok to me. I'll work through this more fully and commit tomorrow, but I think you're good for Ubuntu uploads if this is urgent.

Thanks!

review: Approve
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Thanks for the quick response!

This is not urgent, so it can wait a full review + commit.

If this is merged into master, should I send PRs for the
ubuntu/master and debian/master branches? (for the devel
release.)

I can handle the SRUs for Ubuntu, and ask a core-dev for
sponsoring to the devel release (or let you handle it if
you prefer -- just let me know! :)

Thanks!

Revision history for this message
Jamie Strandboge (jdstrand) wrote (last edit ):

If you send up a PR for debian/master, then I'll upload to Debian and sync to the devel release. Don't worry about ubuntu/master (I only update that if the latest release is different from debian/master, so it is a little out of date atm).

For the Ubuntu SRUs, if you were feeling (even more) industrious, it would be nice to pull in 632cda034f7b96d07667b06d39b6eb396c0e611f to fix https://launchpad.net/bugs/1933117 for 18.04 and later. By all means don't feel that this is required, but the fix is in Debian, impish and the snap already, so if this sounds like something you'd like to do, it just needs the SRU paperwork and processing.

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Ok, I just submitted a PR for debian/master. [1]

Sure, I'll take a look at adding that commit.

cheers.

[1] https://code.launchpad.net/~mfo/ufw/+git/ufw/+merge/410152

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/ufw-init-functions b/src/ufw-init-functions
2index feac8e2..f0dd7f5 100755
3--- a/src/ufw-init-functions
4+++ b/src/ufw-init-functions
5@@ -168,29 +168,6 @@ ufw_start() {
6 AFTER_RULES="$RULES_PATH/after${type}.rules"
7 USER_RULES="$USER_PATH/user${type}.rules"
8
9- # set the default policy
10- input_pol="$DEFAULT_INPUT_POLICY"
11- if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
12- input_pol="DROP"
13- fi
14-
15- output_pol="$DEFAULT_OUTPUT_POLICY"
16- if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
17- output_pol="DROP"
18- fi
19-
20- forward_pol="$DEFAULT_FORWARD_POLICY"
21- if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
22- forward_pol="DROP"
23- fi
24-
25- printf "*filter\n"\
26-"# builtin chains\n"\
27-":INPUT %s [0:0]\n"\
28-":FORWARD %s [0:0]\n"\
29-":OUTPUT %s [0:0]\n"\
30-"COMMIT\n" $input_pol $forward_pol $output_pol | $exe-restore -n || error="yes"
31-
32 # flush the chains (if they exist)
33 if $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
34 delete_chains $type || error="yes"
35@@ -378,6 +355,31 @@ ufw_start() {
36 out="${out}\nCouldn't find '$USER_RULES'"
37 error="yes"
38 fi
39+
40+ # set the default policy
41+ # (do this after loading rules so not to break
42+ # network rootfs w/ INPUT DROP during ufw init.)
43+ input_pol="$DEFAULT_INPUT_POLICY"
44+ if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
45+ input_pol="DROP"
46+ fi
47+
48+ output_pol="$DEFAULT_OUTPUT_POLICY"
49+ if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
50+ output_pol="DROP"
51+ fi
52+
53+ forward_pol="$DEFAULT_FORWARD_POLICY"
54+ if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
55+ forward_pol="DROP"
56+ fi
57+
58+ printf "*filter\n"\
59+"# builtin chains\n"\
60+":INPUT %s [0:0]\n"\
61+":FORWARD %s [0:0]\n"\
62+":OUTPUT %s [0:0]\n"\
63+"COMMIT\n" $input_pol $forward_pol $output_pol | $exe-restore -n || error="yes"
64 done
65
66 if [ ! -z "$IPT_SYSCTL" ] && [ -s "$IPT_SYSCTL" ]; then

Subscribers

People subscribed via source and target branches