kernel config does not support ufw firewall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
touch-preview-images |
Fix Released
|
Undecided
|
Unassigned | ||
linux-grouper (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | ||
linux-maguro (Ubuntu) |
Fix Released
|
Undecided
|
Tim Gardner | ||
linux-mako (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | ||
linux-manta (Ubuntu) |
Fix Released
|
Undecided
|
Tim Gardner | ||
ufw (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
The phablet image kernels (tested on nexus 4 and nexus 7) don't have enough netfilter options enabled to use ufw. ufw is the default firewall in Ubuntu and the indicator-network will have firewall support for the converged device if not sooner. ufw has a tool to test if the necessary kernel config is setup-- can we get our phablet kernel config to pass these tests? (note, test that are 'FAIL (no runtime support)' don't strictly have to be enabled, though it would be nice).
To test:
$ sudo apt-get install ufw
$ sudo /usr/share/
Has python: pass (binary: python2.7, version: 2.7.5+, py2)
Has iptables: pass
Has ip6tables: pass
Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass
This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-
Inserting RETURN at top of 'ufw-check-
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: FAIL
hashlimit: pass
limit: pass
state (NEW): pass
state (RELATED): pass
state (ESTABLISHED): pass
state (INVALID): pass
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): FAIL
addrtype (MULTICAST): FAIL
addrtype (BROADCAST): FAIL
icmp (destination-
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-
icmp (echo-request): pass
== IPv6 ==
Creating 'ufw-check-
Inserting RETURN at top of 'ufw-check-
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: FAIL
hashlimit: pass
limit: pass
state (NEW): pass
state (RELATED): pass
state (ESTABLISHED): pass
state (INVALID): pass
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-
icmpv6 with hl (neighbor-
icmpv6 with hl (router-
icmpv6 with hl (router-
FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support
In addition to the above, I noticed these IPV6 rules also fail (I need to add a check to check-requirements for that):
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP
I added tasks for the linux-nexus4 and linux-nexus7 kernels. Not sure what other kernels should be added, if any.
description: | updated |
tags: | added: bot-stop-nagging |
description: | updated |
Changed in ufw (Ubuntu): | |
status: | In Progress → Fix Committed |
description: | updated |
Changed in ufw (Ubuntu): | |
importance: | Undecided → Medium |
Changed in linux-nexus7 (Ubuntu): | |
importance: | Undecided → Medium |
Changed in linux-nexus4 (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: nexus4-kernel nexus7-kernel |
tags: | added: kernel-da-key |
Changed in touch-preview-images: | |
status: | New → Confirmed |
Changed in linux-nexus4 (Ubuntu): | |
status: | New → Confirmed |
Changed in linux-nexus7 (Ubuntu): | |
status: | New → Confirmed |
affects: | linux-nexus4 (Ubuntu) → linux-mako (Ubuntu) |
Changed in linux-mako (Ubuntu): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | Confirmed → In Progress |
affects: | linux-nexus7 (Ubuntu) → linux-grouper (Ubuntu) |
Changed in linux-grouper (Ubuntu): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | Confirmed → In Progress |
Changed in linux-maguro (Ubuntu): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Changed in linux-manta (Ubuntu): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Added a ufw task to add a check for -m rt --rt-type 0