Snappy

iptable_filter and ip6table_filter do not auto load

Bug #1496419 reported by Jamie Strandboge on 2015-09-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
High
John Lenton
ubuntu-core-config (Ubuntu)
Fix Released
High
Oliver Grawert
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

If running a snap with custom confinement that is allowed to manipulate netfilter, iptable_filter and ip6table_filter are not loaded in the kernel and do not autoload (and we don't want to allow module loading for the snap). This can be tested by using 'iptables -L -n' or 'ip6tables -L -n' under confinement. Once they are loaded, other netfilter modules seem to autoload correctly. This bug could be solved in a number of ways:
- make sure iptable_filter and ip6table_filter are loaded on boot
- adjust iptable_filter and ip6table_filter to autoload
- adjust the documentation to require the new snappy config mechanism for loading iptable_filter and ip6tables_filter for a firewall snap

Related branches

lp:ubuntu/wily-proposed/ubuntu-core-config
lp:~chipaca/snappy/config-modules
Oliver Grawert: Approve on 2015-10-20
Michael Vogt: Approve on 2015-10-20
Diff: 444 lines (+296/-10)
2 files modified
coreconfig/config.go (+107/-6)
coreconfig/config_test.go (+189/-4)
Oliver Grawert (ogra) wrote :

seems to need /etc/modules-load.d dir in writable-paths in ubuntu-core-config

Oliver Grawert (ogra) on 2015-10-20
Changed in ubuntu-core-config (Ubuntu):
assignee: nobody → Oliver Grawert (ogra)
importance: Undecided → High
status: New → Confirmed
John Lenton (chipaca) on 2015-10-20
Changed in snappy:
status: New → In Progress
importance: Undecided → High
assignee: nobody → John Lenton (chipaca)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-config - 0.6.30

---------------
ubuntu-core-config (0.6.30) wily; urgency=medium

  * add /etc/modules-load.d to writable dirs (LP: #1496419)

 -- Oliver Grawert <email address hidden> Tue, 20 Oct 2015 13:47:06 +0200

Changed in ubuntu-core-config (Ubuntu):
status: Confirmed → Fix Released
Snappy Tarmac (snappydevtarmac) on 2015-10-20
Changed in snappy:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

This all works in r10 with the 'load-kernel-modules' option in 'snappy config ubuntu-core'. Eg, I used:
config:
  ubuntu-core:
    ...
    load-kernel-modules: [ iptable_filter, ip6table_filter ]
    ...

Thanks!

Changed in snappy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers