ufw

~mfo/ufw:lp1946804

  1. Git
  2. lp:~mfo/ufw
  3. lp1946804
Last commit made on 2021-10-12
Get this branch:
git clone -b lp1946804 https://git.launchpad.net/~mfo/ufw
Only Mauricio Faria de Oliveira can upload to this branch. If you are Mauricio Faria de Oliveira please log in for upload directions.

Branch merges

Branch information

Name:
lp1946804
Repository:
lp:~mfo/ufw

Recent commits

4d25bd6... by Mauricio Faria de Oliveira

src/ufw-init-functions: set default policy after loading rules

If default input policy of DROP (default setting in ufw) is set
before loading rules to allow a network root filesystem to work,
it freezes before loading them, and the boot process stalls.

Just set default policy after loading rules, as the snippet for
ip[6]tables-restore has -n/--noflush, which doesn't flush other
rules in the builtin chains.

The output of iptables -L is identical before/after.

https://bugs.launchpad.net/bugs/1946804

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

6193bca... by Jamie Strandboge

tests/check-requirements: revert 29c210e5 (too lenient) and update for 3.9

For a distribution it is arguably ok to modify this script for arbitrary
python versions but as an upstream it represents what it has been tested
against.

2d4f734... by Jamie Strandboge

AUTHORS,setup.py: use updated email address

29c210e... by Jamie Strandboge

tests/check-requirements: ix python version check for Python >= 3.9

Patch thanks to Matthias Klose <email address hidden>

References:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975912

9db920b... by Jamie Strandboge

src/ufw: adjust version year

189207d... by Jamie Strandboge

update man pages for newer dates and remove email address

f957f03... by Jamie Strandboge

src/backend_iptables.py: unconditionally reload with delete. LP: #1933117

ufw delete can confuse protocol-specific rule with otherwise matching
'proto any' rule. Consider:

  # ufw allow from 1.1.1.1 port 2222 proto tcp # rule 1
  # ufw allow from 2.2.2.2 port 3333 proto tcp # rule 2
  # ufw allow from 1.1.1.1 port 2222 # rule 3

In this case the loaded firewall will have:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT udp -- 1.1.1.1 0.0.0.0/0 udp spt:2222

If we delete the 3rd rule:

  # ufw delete 3
  Deleting:
   allow from 1.1.1.1 port 2222
  Proceed with operation (y|n)? y
  Rule deleted

then ufw updates the running firewall with 'iptables -D', such that the
loaded firewall is out of order and ends up having:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222

Instead of using 'iptables -D' to delete the rule from the running
firewall, instead reload the user chains so we get the proper rule order
in the running firewall:

  # iptables -L ufw-user-input -n
  Chain ufw-user-input (1 references)
  target prot opt source destination
  ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
  ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333

TODO: we only need to reload on delete when there are overlapping
proto-specific and 'proto any' rules, so a future optimization could
check for this and go back to using 'iptables -D' when there are no
overlaps.

400e64b... by Jamie Strandboge

doc/ufw.8: insert/prepend can't be used to update comments. LP: #1927737

22fee11... by Jamie Strandboge

src/backend_iptables.py: remove unreachable code. LP: #1927734

0187bf0... by Jamie Strandboge

conf/sysctl.conf: remove tcp_sack=1 and non-firewall sysctls. LP: #1884821

ufw set net/ipv4/tcp_sack=1 which has been the default since Linux 2.2
(as per 'man tcp'). Remove this as well two other commented out,
non-firewall settings (net/ipv4/tcp_fin_timeout and
net/ipv4/tcp_keepalive_intvl). Also update comment at the top of the
file to also reference /etc/sysctl.d.