src/ufw-init-functions: set default policy after loading rules
If default input policy of DROP (default setting in ufw) is set
before loading rules to allow a network root filesystem to work,
it freezes before loading them, and the boot process stalls.
Just set default policy after loading rules, as the snippet for
ip[6]tables-restore has -n/--noflush, which doesn't flush other
rules in the builtin chains.
The output of iptables -L is identical before/after.
tests/check-requirements: revert 29c210e5 (too lenient) and update for 3.9
For a distribution it is arguably ok to modify this script for arbitrary
python versions but as an upstream it represents what it has been tested
against.
src/backend_iptables.py: unconditionally reload with delete. LP: #1933117
ufw delete can confuse protocol-specific rule with otherwise matching
'proto any' rule. Consider:
# ufw allow from 1.1.1.1 port 2222 proto tcp # rule 1
# ufw allow from 2.2.2.2 port 3333 proto tcp # rule 2
# ufw allow from 1.1.1.1 port 2222 # rule 3
Instead of using 'iptables -D' to delete the rule from the running
firewall, instead reload the user chains so we get the proper rule order
in the running firewall:
TODO: we only need to reload on delete when there are overlapping
proto-specific and 'proto any' rules, so a future optimization could
check for this and go back to using 'iptables -D' when there are no
overlaps.
conf/sysctl.conf: remove tcp_sack=1 and non-firewall sysctls. LP: #1884821
ufw set net/ipv4/tcp_sack=1 which has been the default since Linux 2.2
(as per 'man tcp'). Remove this as well two other commented out,
non-firewall settings (net/ipv4/tcp_fin_timeout and
net/ipv4/tcp_keepalive_intvl). Also update comment at the top of the
file to also reference /etc/sysctl.d.