On Mon, 10 Feb 2020, Ximin Luo wrote:
> Control: reassign -1 ufw
> Control: severity -1 grave # breaks security software
>
> ufw needs to be patched/updated to call iptables{,6}-legacy-{save,restore}.Thank you for the bug report. This is not the correct path forward and this is iptables bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1400 which is a regression in upstream 1.8.4's iptables-restore parser. iptables is supposed to be command line and input compatible with iptables-legacy and ufw is not going to force the use of iptables-legacy and will instead honor the alternatives mechanism for how the system administrator configured the system (since you cannot reliably mix xtables (ie, -legacy) and nftables rulesets. > In the meantime, iptables 1.8.3 is no longer in Debian, but the user can work > around this by doing `sudo update-alternatives --config ip{,6}tables` and > using the legacy commands accordingly. > > You might need to restart your computer as well. I tried restarting ufw and > even running `iptables -F` and `-X` but my system was still entirely screwed > (all internet blocked) even when iptables seemingly had no rules, and only > was fixed until after I restarted. This is probably due to ordering. You would need to flush all the tables, then cut over to iptables-legacy, then use the firewall. > X > > On Fri, 24 Jan 2020 12:53:08 +0100 Peje Nilsson <pej...@gmail.com> wrote: > > Package: iptables > > Version: 1.8.4-2 > > Severity: important > > > > Dear Maintainer, > > > > * What led up to the situation? > > Upgraded iptables to latest unstable and then restarted ufw. > > > > root:~# iptables --version > > iptables v1.8.4 (nf_tables) > > root:~# ufw disable > > Firewall stopped and disabled on system startup > > root:~# ufw enable > > ERROR: problem running ufw-init > > iptables-restore: COMMIT expected at line 19 > > ip6tables-restore: COMMIT expected at line 19 > > > > Problem running '/etc/ufw/user.rules' > > Problem running '/etc/ufw/user6.rules' > > > > root:~# ping -n 8.8.8.8 > > PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > > ^C > > --- 8.8.8.8 ping statistics --- > > 9 packets transmitted, 0 received, 100% packet loss, time 8184ms > > > > root:~# ufw disable > > Firewall stopped and disabled on system startup > > root:~# ping -n 8.8.8.8 > > PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > > 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=9.18 ms > > 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=9.01 ms > > 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=9.13 ms > > ^C > > --- 8.8.8.8 ping statistics --- > > 3 packets transmitted, 3 received, 0% packet loss, time 2002ms > > rtt min/avg/max/mdev = 9.013/9.105/9.177/0.068 ms > > > > Downgrading to iptables 1.8.3-2 makes things work again: > > > > root:~# iptables --version > > iptables v1.8.3 (nf_tables) > > root:~# ufw enable > > Firewall is active and enabled on system startup > > root:~# ping -n 8.8.8.8 > > PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > > 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=9.00 ms > > 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=9.01 ms > > ^C > > --- 8.8.8.8 ping statistics --- > > 2 packets transmitted, 2 received, 0% packet loss, time 1001ms > > rtt min/avg/max/mdev = 8.999/9.002/9.006/0.003 ms > > > > > > -- System Information: > > Debian Release: bullseye/sid > > APT prefers unstable > > APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, > > 'experimental') > > -- > GPG: ed25519/56034877E1F87C35 > GPG: rsa4096/1318EFAC5FBBDBCE > https://github.com/infinity0/pubkeys.git -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
