reassign 915627 iptables tags 915627 +confirmed thanks Your kernel is too old. Ie, I cannot reproduce this with the current 4.19 kernel:
$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux buster/sid Release: unstable Codename: sid $ cat /proc/version Linux version 4.19.0-1-amd64 (debian-ker...@lists.debian.org) (gcc version 8.2.0 (Debian 8.2.0-13)) #1 SMP Debian 4.19.12-1 (2018-12-22) $ sudo iptables --version iptables v1.8.2 (nf_tables) $ sudo apt-get install ufw ... The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 852 kB of additional disk space will be used. Get:1 http://ftp.us.debian.org/debian sid/main amd64 ufw all 0.36-1 [164 kB] ... $ sudo /usr/share/ufw/check-requirements Has python: pass (binary: python2.7, version: 2.7.15+, py2) Has iptables: pass Has ip6tables: pass Has /proc/net/dev: pass Has /proc/net/if_inet6: pass This script will now attempt to create various rules using the iptables and ip6tables commands. This may result in module autoloading (eg, for IPv6). Proceed with checks (Y/n)? y == IPv4 == ... == IPv6 == Creating 'ufw-check-requirements6'... done ... icmpv6 (destination-unreachable): pass icmpv6 (packet-too-big): pass icmpv6 (time-exceeded): pass icmpv6 (parameter-problem): pass icmpv6 (echo-request): pass icmpv6 with hl (neighbor-solicitation): pass icmpv6 with hl (neighbor-advertisement): pass icmpv6 with hl (router-solicitation): pass icmpv6 with hl (router-advertisement): pass ipv6 rt: pass All tests passed All ufw is doing in check-requirements is: # ip6tables -N ufw-check-requirements6 # ip6tables -I ufw-check-requirements6 -j RETURN # ip6tables -A ufw-check-requirements6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT Which all succeed here. However, your kernel is 4.15.0-2, which corresponds to: http://snapshot.debian.org/package/linux/4.15.11-1/ This kernel is more than 9 months old and I recommend you upgrade it for security fixes alone. For testing this bug, I installed it and rebooted: $ cat /proc/version Linux version 4.15.0-2-amd64 (debian-ker...@lists.debian.org) (gcc version 7.3.0 (Debian 7.3.0-12)) #1 SMP Debian 4.15.11-1 (2018-03-20) and indeed, the tests fail like you see. Reduced test case: $ sudo ip6tables -N ufw-check-requirements6 $ sudo ip6tables -I ufw-check-requirements6 -j RETURN $ sudo ip6tables -A ufw-check-requirements6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT ip6tables v1.8.2 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. If I use Arturo's test case, ip6tables-nft fails on this kernel as well: $ sudo ip6tables-nft -A FORWARD -i eth0 -p icmpv6 -m icmpv6 --icmpv6-type no-route ip6tables v1.8.2 (nf_tables): Couldn't load match `icmp6':No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. $ sudo ip6tables-legacy -A FORWARD -i eth0 -p icmpv6 -m icmpv6 --icmpv6-type no-route $ This is not a bug in ufw. Please upgrade your kernel and this will start to work. This may be considered a bug in iptables, so reassigning to there for now. Seems either iptables 1.8 has kernel version requirements that need to be expressed in iptables' Debian packaging or iptables nft needs to be updated to work with older kernels. -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
