Bug#911986: closed by Jamie Strandboge (Re: Bug#913112: ufw all traffic blocked, icmp-type + logging error on enable)
I can confirm that the issue has been resolved in the latest release. Thanks for the help On Wed, 21 Nov 2018, 03:12 Debian Bug Tracking System This is an automatic notification regarding your Bug report > which was filed against the ufw package: > > #911986: ufw is disabled on startup after the most recent update. also ufw > enable returns "ERROR: could nkt load logging rules". ufw reload tells me > that the firewall is inactive. if i run ufw status after the failed ufw > command it does show that the firewall is active but ufw reload still fails > > It has been closed by Jamie Strandboge . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Jamie Strandboge < > ja...@canonical.com> by > replying to this email. > > > -- > 911986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911986 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > -- Forwarded message -- > From: Jamie Strandboge > To: 913112-d...@bugs.debian.org, 909163-d...@bugs.debian.org, > 911986-d...@bugs.debian.org, 912418-d...@bugs.debian.org > Cc: Debian Bug Tracking System > Bcc: > Date: Tue, 20 Nov 2018 15:40:04 -0600 > Subject: Re: Bug#913112: ufw all traffic blocked, icmp-type + logging > error on enable > This issue is caused be a regression in iptables 1.8.1: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 > > This is now addressed in iptables. Please upgrade to iptables 1.8.2-2 and > ufw > should start work again. If not, please file a new bug. > > Thanks! > > -- > Jamie Strandboge | http://www.canonical.com > > > > -- Forwarded message -- > From: Aryan > To: Debian Bug Tracking System > Cc: > Bcc: > Date: Fri, 26 Oct 2018 21:23:54 +0100 > Subject: ufw is disabled on startup after the most recent update. also ufw > enable returns "ERROR: could nkt load logging rules". ufw reload tells me > that the firewall is inactive. if i run ufw status after the failed ufw > command it does show that the firewall is active but ufw reload still fails > Package: ufw > Version: 0.35-6 > Severity: important > Tags: a11y > > > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386, i686 > > Kernel: Linux 4.19.0+ (SMP w/4 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages ufw depends on: > ii debconf [debconf-2.0] 1.5.69 > ii iptables 1.8.1-2 > ii lsb-base 9.20170808 > ii python33.6.7-1 > ii ucf3.0038 > > ufw recommends no packages. > > Versions of packages ufw suggests: > ii rsyslog 8.38.0-1+b1 > > -- Configuration Files: > /etc/default/ufw changed: > IPV6=yes > DEFAULT_INPUT_POLICY="REJECT" > DEFAULT_OUTPUT_POLICY="ACCEPT" > DEFAULT_FORWARD_POLICY="DROP" > DEFAULT_APPLICATION_POLICY="SKIP" > MANAGE_BUILTINS=no > IPT_SYSCTL=/etc/ufw/sysctl.conf > IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" > > > -- debconf information: > ufw/allow_known_ports: > ufw/allow_custom_ports: > ufw/enable: true > * ufw/existing_configuration: >
Bug#912015:
The issue cannot be reproduced on -rc7 because the issue started after the 4.19-rc8 tag Also I just built the mainline kernel (4.20 at the time of speaking) and I can still reproduce this issue
Bug#911986: ufw is disabled on startup after the most recent update. also ufw enable returns "ERROR: could nkt load logging rules". ufw reload tells me that the firewall is inactive. if i run ufw stat
Yep Iptables was updated a few hours after the last ufw update was released Thanks for the quick response On Fri, 2 Nov 2018, 01:52 Jamie Strandboge On Fri, 02 Nov 2018, Anuprita Duggal wrote: > > > == IPv6 == > ... > > LOG: pass > > hashlimit: pass > > limit: pass > ... > > All tests passed > > Suzu.memeYa@build ~ $ > > Suzu.memeYa@build ~ $ sudo ufw enable > > Command may disrupt existing ssh > > connections. Proceed with operation (y|n)? y > > ERROR: Could not load logging rules > > Suzu.memeYa@build ~ $ > > Interesting. It appears something changed wrt iptables: > > $ sudo /sbin/iptables -L ufw-before-logging-input > Chain ufw-before-logging-input (1 references) > target prot opt source destination > > $ sudo /sbin/iptables -F ufw-before-logging-input > > $ sudo /sbin/iptables -Z ufw-before-logging-input > iptables v1.8.1 (nf_tables): (null) failed (Operation not supported): > chain ufw-before-logging-input > > The man page for iptables doesn't say anything about this change. > > Here is a simple reproducer: > > $ sudo iptables --version > iptables v1.8.1 (nf_tables) > > $ sudo iptables -N foo > > $ sudo iptables -L foo > Chain foo (0 references) > target prot opt source destination > > $ sudo iptables -F foo > > $ sudo iptables -Z foo # REGRESSION > iptables v1.8.1 (nf_tables): (null) failed (Operation not supported): > chain foo > > $ sudo iptables -X foo > > > That said, if I update ufw to use the *-legacy versions of > iptables/ip6tables > tools, then everything works like before. I will keep this bug open for the > incompatibility. I'll file a new bug against iptables for the (possible) > regression. As a temporary workaround, feel free to downgrade to iptables > 1.6. > > With preliminary testing, it seems that ufw can work with the nf_tables > variety > of iptables/ip6tables except for this -Z issue. > > -- > Jamie Strandboge | http://www.canonical.com >
Bug#911986: ufw is disabled on startup after the most recent update. also ufw enable returns "ERROR: could nkt load logging rules". ufw reload tells me that the firewall is inactive. if i run ufw stat
On Fri, 2 Nov 2018, 00:10 Anuprita Duggal Has python: pass (binary: python2.7, version: 2.7.15+, py2) > Has iptables: pass > Has ip6tables: pass > > Has /proc/net/dev: pass > Has /proc/net/if_inet6: pass > > This script will now attempt to create various rules using the iptables > and ip6tables commands. This may result in module autoloading (eg, for > IPv6). > Proceed with checks (Y/n)? y > == IPv4 == > Creating 'ufw-check-requirements'... done > Inserting RETURN at top of 'ufw-check-requirements'... done > TCP: pass > UDP: pass > destination port: pass > source port: pass > ACCEPT: pass > DROP: pass > REJECT: pass > LOG: pass > hashlimit: pass > limit: pass > ctstate (NEW): pass > ctstate (RELATED): pass > ctstate (ESTABLISHED): pass > ctstate (INVALID): pass > ctstate (new, recent set): pass > ctstate (new, recent update): pass > ctstate (new, limit): pass > interface (input): pass > interface (output): pass > multiport: pass > comment: pass > addrtype (LOCAL): pass > addrtype (MULTICAST): pass > addrtype (BROADCAST): pass > icmp (destination-unreachable): pass > icmp (source-quench): pass > icmp (time-exceeded): pass > icmp (parameter-problem): pass > icmp (echo-request): pass > > == IPv6 == > Creating 'ufw-check-requirements6'... done > Inserting RETURN at top of 'ufw-check-requirements6'... done > TCP: pass > UDP: pass > destination port: pass > source port: pass > ACCEPT: pass > DROP: pass > REJECT: pass > LOG: pass > hashlimit: pass > limit: pass > ctstate (NEW): pass > ctstate (RELATED): pass > ctstate (ESTABLISHED): pass > ctstate (INVALID): pass > ctstate (new, recent set): pass > ctstate (new, recent update): pass > ctstate (new, limit): pass > interface (input): pass > interface (output): pass > multiport: pass > comment: pass > icmpv6 (destination-unreachable): pass > icmpv6 (packet-too-big): pass > icmpv6 (time-exceeded): pass > icmpv6 (parameter-problem): pass > icmpv6 (echo-request): pass > icmpv6 with hl (neighbor-solicitation): pass > icmpv6 with hl (neighbor-advertisement): pass > icmpv6 with hl (router-solicitation): pass > icmpv6 with hl (router-advertisement): pass > ipv6 rt: pass > > All tests passed > Suzu.memeYa@build ~ $ > Suzu.memeYa@build ~ $ sudo ufw enable > Command may disrupt existing ssh > connections. Proceed with operation (y|n)? y > ERROR: Could not load logging rules > Suzu.memeYa@build ~ $ > > On Thu, 1 Nov 2018, 23:59 Jamie Strandboge >> What is the output of: >> >> $ sudo /usr/share/ufw/check-requirements >> >> -- >> Jamie Strandboge | http://www.canonical.com >> >
Bug#911986: ufw is disabled on startup after the most recent update. also ufw enable returns "ERROR: could nkt load logging rules". ufw reload tells me that the firewall is inactive. if i run ufw stat
Has python: pass (binary: python2.7, version: 2.7.15+, py2) Has iptables: pass Has ip6tables: pass Has /proc/net/dev: pass Has /proc/net/if_inet6: pass This script will now attempt to create various rules using the iptables and ip6tables commands. This may result in module autoloading (eg, for IPv6). Proceed with checks (Y/n)? y == IPv4 == Creating 'ufw-check-requirements'... done Inserting RETURN at top of 'ufw-check-requirements'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass addrtype (LOCAL): pass addrtype (MULTICAST): pass addrtype (BROADCAST): pass icmp (destination-unreachable): pass icmp (source-quench): pass icmp (time-exceeded): pass icmp (parameter-problem): pass icmp (echo-request): pass == IPv6 == Creating 'ufw-check-requirements6'... done Inserting RETURN at top of 'ufw-check-requirements6'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass icmpv6 (destination-unreachable): pass icmpv6 (packet-too-big): pass icmpv6 (time-exceeded): pass icmpv6 (parameter-problem): pass icmpv6 (echo-request): pass icmpv6 with hl (neighbor-solicitation): pass icmpv6 with hl (neighbor-advertisement): pass icmpv6 with hl (router-solicitation): pass icmpv6 with hl (router-advertisement): pass ipv6 rt: pass All tests passed Suzu.memeYa@build ~ $ Suzu.memeYa@build ~ $ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: Could not load logging rules Suzu.memeYa@build ~ $ On Thu, 1 Nov 2018, 23:59 Jamie Strandboge What is the output of: > > $ sudo /usr/share/ufw/check-requirements > > -- > Jamie Strandboge | http://www.canonical.com >