On Tue, 20 Nov 2018 15:40:04 -0600 Jamie Strandboge <ja...@canonical.com> wrote: > This issue is caused be a regression in iptables 1.8.1: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 > > This is now addressed in iptables. Please upgrade to iptables 1.8.2-2 and ufw > should start work again. If not, please file a new bug.
This does not work, even with iptables 1.8.2-2 on a Debian sid system. Nor would I expect it to; ufw has explicit code to reject this scenario. See also Launchpad #1368411, and specifically this comment from me with a patch (which I have also attached): https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1368411/comments/10 -- Richard
Author: Richard Laager <rlaa...@wiktel.com> Description: Fix inserting IPv6 rules The list of ufw rules is a single list, with IPv4 rules before IPv6 rules. When inserting an IPv6 rule, the ufw code converts the position from the overall list containing both IPv4 and IPv6 rules into a position in the subset of IPv6 rules only. If the specified position falls inside the IPv4 rules, then by definition, the desired IPv6 position is 1, but the current code needlessly rejects that. This breaks fail2ban, which always uses: ufw insert 1 reject from ADDRESS to any Forwarded: no Last-Update: 2018-10-08 Bug-Ubuntu: https://launchpad.net/bugs/1368411 --- a/src/frontend.py +++ b/src/frontend.py @@ -454,8 +454,7 @@ if r.position > num_v4: r.set_position(r.position - num_v4) elif r.position != 0 and r.position <= num_v4: - pos_err_msg += str(r.position) + "'" - raise UFWError(pos_err_msg) + r.set_position(1) r.set_v6(True) tmp = self.backend.set_rule(r) elif ip_version == "both": --- a/tests/ipv6/rules64/runtest.sh +++ b/tests/ipv6/rules64/runtest.sh @@ -156,7 +156,7 @@ echo "ipv6 rule in ipv4 section" >> $TESTTMP/result do_cmd "0" null delete allow to ::1 port 8888 -do_cmd "1" null insert 2 allow to ::1 port 8888 +do_cmd "0" null insert 2 allow to ::1 port 8888 echo "ipv4 rule in ipv6 section" >> $TESTTMP/result do_cmd "0" null delete allow to ::1 port 8888
