ufw fails when connection tracking is not available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Binary package hint: ufw
Some virtual server providers do not supply netfilter connection tracking as part of their kernel. Sometimes the kernels are monolithic as well. Contents of /proc/net/ is:
$ ls -l /proc/net
total 0
-r--r--r-- 1 root root 0 Oct 27 15:51 anycast6
-r--r--r-- 1 root root 0 Oct 27 15:51 arp
-r--r--r-- 1 root root 0 Oct 27 15:51 dev
-r--r--r-- 1 root root 0 Oct 27 15:51 dev_mcast
dr-xr-xr-x 2 root root 0 Oct 27 15:51 dev_snmp6
-r--r--r-- 1 root root 0 Oct 27 15:51 if_inet6
-r--r--r-- 1 root root 0 Oct 27 15:51 igmp
-r--r--r-- 1 root root 0 Oct 27 15:51 igmp6
-r--r----- 1 root root 0 Oct 27 15:51 ip_conntrack
-r--r----- 1 root root 0 Oct 27 15:51 ip_conntrack_expect
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_matches
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_names
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_targets
-r--r--r-- 1 root root 0 Oct 27 15:51 ipv6_route
-r--r--r-- 1 root root 0 Oct 27 15:51 mcfilter
-r--r--r-- 1 root root 0 Oct 27 15:51 mcfilter6
-r--r--r-- 1 root root 0 Oct 27 15:51 netstat
-r--r--r-- 1 root root 0 Oct 27 15:51 packet
-r--r--r-- 1 root root 0 Oct 27 15:51 raw
-r--r--r-- 1 root root 0 Oct 27 15:51 raw6
-r--r--r-- 1 root root 0 Oct 27 15:51 route
-r--r--r-- 1 root root 0 Oct 27 15:51 rt_cache
-r--r--r-- 1 root root 0 Oct 27 15:51 snmp
-r--r--r-- 1 root root 0 Oct 27 15:51 snmp6
-r--r--r-- 1 root root 0 Oct 27 15:51 sockstat
dr-xr-xr-x 2 root root 0 Oct 27 15:51 stat
-r--r--r-- 1 root root 0 Oct 27 15:51 tcp
-r--r--r-- 1 root root 0 Oct 27 15:51 tcp6
-r--r--r-- 1 root root 0 Oct 27 15:51 udp
-r--r--r-- 1 root root 0 Oct 27 15:51 udp6
-r--r--r-- 1 root root 0 Oct 27 15:51 unix
nf_conntrack is not listed, but should be. ufw should check for this and give a helpful error message.
Related branches
Changed in ufw: | |
assignee: | nobody → jdstrand |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in ufw: | |
status: | Triaged → Fix Committed |
This is the command that failed (with the ufw-before-input chain confirmed to exist):
# iptables -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name