Rule insertion fails if ruleset is empty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
I am setting up a server with a cloud host, where their firewall is responsible for port blocking. Therefore I am setting ufw+fail2ban up for IP blocking only. Before enabling ufw I set the default policy to allow and cleared the default rules.
To integrate with ufw, fail2ban performs commands in the form of "ufw insert 1 deny from [ipaddress] to any". However, this command will ALWAYS fail if there are no existing rules, with the error of "Invalid position '1'". The cause appears to be the ruleset being empty. Adding any rule, even a dummy "accept all from any" allows this to function properly. If this is intended behaviour then the documentation should be updated to note that inserting a numbered rule into an empty ruleset is specifically invalid. Otherwise it seems like a bug to me.
user@persephone:~# ufw version
ufw 0.35
Copyright 2008-2015 Canonical Ltd.
user@persephone:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
Changed in ufw: | |
importance: | Undecided → Medium |
So I couldn't sleep. This patch should solve the problem by bypassing the checks that cause it. Because of the way the rulesets get rebuilt anyway I can't see this causing any problems down the road, but you never know.
I looked at writing a test but couldn't quite figure out how to do it. I did install the modified version into a prefix and test the following possible bug-trigger.
$ PYTHONPATH= $PYTHONPATH: /tmp/ufw/ lib/python /tmp/ufw/ usr/sbin/ ufw insert 1 allow from any to any
and it functioned correctly. The backend changes seem the least invasive way to solve the problem, but I'm not entirely happy with the frontend changes; they may benefit from a more experienced tweak.