Ubuntu
ufw package

[SRU] ufw adds rules to chains when --dry-run is specified

Bug #247352 reported by Jamie Strandboge
8
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: ufw

When testing rules with '--dry-run', ufw will add the rule to the running firewall (but not it's rules files in /var/lib/ufw). Eg:

$ sudo ufw status
Firewall loaded
$ sudo ufw --dry-run allow http*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
### RULES ###

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
COMMIT
Rule added
$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
80:tcp ALLOW Anywhere

This is problematic because 'delete' doesn't work anymore (however, disabling/enabling the firewall or forcing a reload removes the rule).

This fix is simple, and will be uploaded to -proposed soon:
=== modified file 'src/ufw'
--- src/ufw 2008-05-10 12:28:11 +0000
+++ src/ufw 2008-07-09 19:25:18 +0000
@@ -1220,7 +1220,7 @@
             rstr = "Rules updated (v6)"

         # Operate on the chains
- if self._is_enabled():
+ if self._is_enabled() and not self.dryrun:
             flag = ""
             if modified:
                 # Reload the chain

Jamie Strandboge (jdstrand)
Changed in ufw:
assignee: nobody → jdstrand
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in ufw:
assignee: nobody → jdstrand
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU Request

Impact: rules are added when explicitly not intended to be. Requires reloading the firewall to flush the mistakenly added rule out

Bug is trivially fixed by checking for the dryrun status before operating on the chains.

TEST CASE:
1. Enable the firewall:
$ sudo ufw enable

2. Check status of firewall (should have no rules):
$ sudo ufw status
Firewall loaded

3. Perform a dry-run:
$ sudo ufw --dry-run allow http
...
Rule added

4. Check status of firewall (should have no rules, but does in 0.16.2.1):
$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
80:tcp ALLOW Anywhere

After the applying the debdiff (package in -proposed), step '4' shows no rules were added.

Regression potential: it is believed there is no regression potential

Changed in ufw:
status: Triaged → Fix Committed
assignee: jdstrand → ubuntu-sru
status: Triaged → New
assignee: ubuntu-sru → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.18.1

---------------
ufw (0.18.1) intrepid; urgency=low

  * src/ufw: don't modify the chains when --dry-run is specified. Fixes
    LP: #247352
  * bump version

 -- Jamie Strandboge <email address hidden> Mon, 07 Jul 2008 16:26:08 -0400

Changed in ufw:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in ufw:
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Using the above test case fixed the bug. Additionally, I tested adding and deleting rules with and without --dry-run enabled and it works as expected.

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.