ufw

Merge ~mfo/ufw:lp1946804-debian into ufw:debian/master

Proposed by Mauricio Faria de Oliveira
Status: Rejected
Rejected by: Jamie Strandboge
Proposed branch: ~mfo/ufw:lp1946804-debian
Merge into: ufw:debian/master
Diff against target: 166 lines (+107/-2)
5 files modified
debian/changelog (+9/-0)
debian/patches/0002-fix-copyright.patch (+2/-1)
debian/patches/python3-versions.diff (+2/-1)
debian/patches/series (+1/-0)
debian/patches/set-default-policy-after-load.patch (+93/-0)
Reviewer Review Type Date Requested Status
Jamie Strandboge Disapprove
Review via email: mp+410152@code.launchpad.net

Commit message

Add patch from master.
Apparently a couple other patches needed to be refresh in order to apply.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the MP! Unfortunately, the reason why you had trouble with the existing patches was because I forgot to push the 0.36.1 changes to the branch (I only pushed the debian/ directory) when I cut the tag. Because of my mistake, this MP won't apply so I'm going to Disapprove. I fixed all this, then applied your patch on top, add a couple of small changes and uploaded 0.36.1-2 to Debian just now.

review: Disapprove
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Ha, that explains it :) The error with the patches was a bit curious, indeed. Thanks for clarifying and handling that!

Unmerged commits

721c3e2... by Mauricio Faria de Oliveira

set default policy after loading rules

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

cb7ef24... by Mauricio Faria de Oliveira

refresh python3-versions.diff

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

863ebc6... by Mauricio Faria de Oliveira

refresh 0002-fix-copyright.patch

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

673555b... by Jamie Strandboge

release 0.36.1-1

* New upstream release (LP: #1808463, LP: #1831186, LP: #1838764,
  LP: #1556419, LP: #1933117). Drop the following (included upstream):
  - 0002-fix-check-requirements.patch
  - 0003-lp1838764.patch
  - 0004-make-root-tests-chain-order-agnostic.patch
  - 0005-use-only-python3.patch
  - 0006-bug921680.patch
  - 0007-bug921680-pt2.patch
  - 0008-fix-check-requirements-again.patch
  - 0009-empty-non-functioning-ipt-modules.patch
  - 0010-add-other-firewall-checks.patch
  - 0011-suppress-legacy-warnings-in-tests.patch
  - 0012-pyflakes3.patch
  - 0013-add-prepend-to-help.patch
* Remaining changes:
  - 0001-optimize-boot.patch
  - python3-versions.diff

[ Jamie Strandboge ]
* ufw.lintian-overrides:
  - remove init.d-script-possible-missing-stop override
  - adjust "allow to" override
  - override spare-manual-page for ufw-framework as it gives additional
    details for the ufw command
* 0002-fix-copyright.patch: src/ufw: update copyright year
* debian/*: use my <email address hidden> email address

[ Debian Janitor ]
* Use secure copyright file specification URI.
* Use set -e rather than passing -e on the shebang-line.
* Set upstream metadata fields: Repository, Repository-Browse.
* Update watch file format version to 4.

[ Bastian Triller ]
* debian/ufw.logrotate: use rsyslog-rotate instead of invoke-rc.d
  (Closes: 993525)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 72e691f..45c93ca 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+ufw (0.36.1-2) UNRELEASED; urgency=medium
7+
8+ * d/p/0002-fix-copyright.patch: refresh patch (hunk 2).
9+ * d/p/python3-versions.diff: refresh patch.
10+ * d/p/set-default-policy-after-loading-rules.patch: fix boot stall on
11+ iscsi/network root filesystem when starting ufw (LP: #1946804)
12+
13+ -- Mauricio Faria de Oliveira <mfo@canonical.com> Wed, 13 Oct 2021 14:54:25 -0300
14+
15 ufw (0.36.1-1) unstable; urgency=medium
16
17 * New upstream release (LP: #1808463, LP: #1831186, LP: #1838764,
18diff --git a/debian/patches/0002-fix-copyright.patch b/debian/patches/0002-fix-copyright.patch
19index 544f569..42dc1fa 100644
20--- a/debian/patches/0002-fix-copyright.patch
21+++ b/debian/patches/0002-fix-copyright.patch
22@@ -4,6 +4,7 @@ Date: Sun Sep 19 01:09:36 2021 -0500
23
24 src/ufw: update copyright year
25
26+[2021-10-13: refresh hunk 2 with s/2018/2015/]
27 diff --git a/src/ufw b/src/ufw
28 index 115d294..7d72395 100755
29 --- a/src/ufw
30@@ -21,7 +22,7 @@ index 115d294..7d72395 100755
31 sys.exit(0)
32 elif pr.action == "version" or pr.action == "--version":
33 msg(ufw.common.programName + " " + version)
34-- msg("Copyright 2008-2018 Canonical Ltd.")
35+- msg("Copyright 2008-2015 Canonical Ltd.")
36 + msg("Copyright 2008-2021 Canonical Ltd.")
37 sys.exit(0)
38
39diff --git a/debian/patches/python3-versions.diff b/debian/patches/python3-versions.diff
40index aa479e7..642f442 100644
41--- a/debian/patches/python3-versions.diff
42+++ b/debian/patches/python3-versions.diff
43@@ -2,13 +2,14 @@ Author: Matthias Klose <doko@debian.org>
44 Description: Fix python version check for Python >= 3.9
45 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975912
46 Forwarded: yes
47+Last-Updated: 2021-10-13
48 --- a/tests/check-requirements
49 +++ b/tests/check-requirements
50 @@ -59,7 +59,7 @@ for exe in python3 python2 python ; do
51 echo "pass (binary: $exe, version: $v, py2)"
52 found_python="yes"
53 break
54-- elif echo "$v" | grep -q "^3.[2-8]"; then
55+- elif echo "$v" | grep -q "^3.[234]"; then
56 + elif echo "$v" | grep -q "^3.[1-9][0-9]*"; then
57 echo "pass (binary: $exe, version: $v, py3)"
58 found_python="yes"
59diff --git a/debian/patches/series b/debian/patches/series
60index 7935c84..cdb7cf1 100644
61--- a/debian/patches/series
62+++ b/debian/patches/series
63@@ -1,3 +1,4 @@
64 0001-optimize-boot.patch
65 0002-fix-copyright.patch
66 python3-versions.diff
67+set-default-policy-after-load.patch
68diff --git a/debian/patches/set-default-policy-after-load.patch b/debian/patches/set-default-policy-after-load.patch
69new file mode 100644
70index 0000000..899346a
71--- /dev/null
72+++ b/debian/patches/set-default-policy-after-load.patch
73@@ -0,0 +1,93 @@
74+Origin: upstream, https://git.launchpad.net/ufw/commit/?id=4d25bd6635a493ae10c1984bfe16fb31e3903198
75+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1946804
76+From: Mauricio Faria de Oliveira <mfo@canonical.com>
77+Date: Tue, 12 Oct 2021 18:57:40 -0300
78+Subject: [PATCH] src/ufw-init-functions: set default policy after loading
79+ rules
80+
81+If default input policy of DROP (default setting in ufw) is set
82+before loading rules to allow a network root filesystem to work,
83+it freezes before loading them, and the boot process stalls.
84+
85+Just set default policy after loading rules, as the snippet for
86+ip[6]tables-restore has -n/--noflush, which doesn't flush other
87+rules in the builtin chains.
88+
89+The output of iptables -L is identical before/after.
90+
91+https://bugs.launchpad.net/bugs/1946804
92+
93+Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
94+---
95+ src/ufw-init-functions | 48 ++++++++++++++++++++++--------------------
96+ 1 file changed, 25 insertions(+), 23 deletions(-)
97+
98+diff --git a/src/ufw-init-functions b/src/ufw-init-functions
99+index feac8e203c1d..f0dd7f59f4c2 100755
100+--- a/src/ufw-init-functions
101++++ b/src/ufw-init-functions
102+@@ -168,29 +168,6 @@ ufw_start() {
103+ AFTER_RULES="$RULES_PATH/after${type}.rules"
104+ USER_RULES="$USER_PATH/user${type}.rules"
105+
106+- # set the default policy
107+- input_pol="$DEFAULT_INPUT_POLICY"
108+- if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
109+- input_pol="DROP"
110+- fi
111+-
112+- output_pol="$DEFAULT_OUTPUT_POLICY"
113+- if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
114+- output_pol="DROP"
115+- fi
116+-
117+- forward_pol="$DEFAULT_FORWARD_POLICY"
118+- if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
119+- forward_pol="DROP"
120+- fi
121+-
122+- printf "*filter\n"\
123+-"# builtin chains\n"\
124+-":INPUT %s [0:0]\n"\
125+-":FORWARD %s [0:0]\n"\
126+-":OUTPUT %s [0:0]\n"\
127+-"COMMIT\n" $input_pol $forward_pol $output_pol | $exe-restore -n || error="yes"
128+-
129+ # flush the chains (if they exist)
130+ if $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
131+ delete_chains $type || error="yes"
132+@@ -378,6 +355,31 @@ ufw_start() {
133+ out="${out}\nCouldn't find '$USER_RULES'"
134+ error="yes"
135+ fi
136++
137++ # set the default policy
138++ # (do this after loading rules so not to break
139++ # network rootfs w/ INPUT DROP during ufw init.)
140++ input_pol="$DEFAULT_INPUT_POLICY"
141++ if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
142++ input_pol="DROP"
143++ fi
144++
145++ output_pol="$DEFAULT_OUTPUT_POLICY"
146++ if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
147++ output_pol="DROP"
148++ fi
149++
150++ forward_pol="$DEFAULT_FORWARD_POLICY"
151++ if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
152++ forward_pol="DROP"
153++ fi
154++
155++ printf "*filter\n"\
156++"# builtin chains\n"\
157++":INPUT %s [0:0]\n"\
158++":FORWARD %s [0:0]\n"\
159++":OUTPUT %s [0:0]\n"\
160++"COMMIT\n" $input_pol $forward_pol $output_pol | $exe-restore -n || error="yes"
161+ done
162+
163+ if [ ! -z "$IPT_SYSCTL" ] && [ -s "$IPT_SYSCTL" ]; then
164+--
165+2.30.2
166+

Subscribers

People subscribed via source and target branches