Ubuntu
ufw package

ufw crashed with Perhaps ip6tables or your kernel needs to be upgraded. in get_netfilter_capabilities() when using ipv6.disable=1

Bug #1039729 reported by marcobra (Marco Braida)
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Jamie Strandboge
ufw (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Quantal
Fix Released
Medium
Jamie Strandboge
Ubuntu quantal-updates
Raring
Fix Released
Medium
Jamie Strandboge

Bug Description

ufw is unusable on systems without ipv6 support because ufw traces back when trying to run ip6tables to determine what capabilities the system has. Currently ufw will run ip6tables unconditionally which can fail when the system is booted with ipv6.disable=1 or when iptables is compiled without ipv6 support. The proposed fix (which is available in the devel release) adjusts initcaps() in backend.py to only run get_netfilter_capabilities() on ip6tables when IPV6=yes in /etc/default/ufw (the default in Ubuntu). See http://bazaar.launchpad.net/~jdstrand/ufw/trunk/revision/803.

[Test Case #1]
1. Add ipv6.disable=1 to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.
2. Reboot
3. Adjust /etc/default/ufw to have "IPV6=no"
4. Run 'sudo ufw disable ; sudo ufw enable'
5. Run 'sudo ufw disable ; sudo ufw app update all'

Steps 4 and 5 will traceback without this SRU.

[Test Case #2]
1. mv /sbin/ip6tables /sbin/ip6tables.bak
2. Adjust /etc/default/ufw to have "IPV6=no"
3. Run 'sudo ufw disable ; sudo ufw enable'
4. Run 'sudo ufw disable ; sudo ufw app update all'

Steps 3 and 4 will traceback without this SRU.

(Test Case #1 is the important test for Ubuntu and why this bug needs the SRU)

[Regression Potential]
The regression potential is considered low because the patch is simple/easy to understand and the default behavior will not change for users. ufw, iptables and the Ubuntu kernel ship with IPV6 support enabled. Ufw also has a significant testsuite and a test script in QRT for Ubuntu integration (which will include test case #2 (test case #1 is not easily automatable)).

Previous Description:
Description: Ubuntu quantal (development branch)
Release: 12.10
Codename: quantal

ufw:
  Installato: 0.33-0ubuntu1
  Candidato: 0.33-0ubuntu1
  Tabella versione:
 *** 0.33-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ quantal/main i386 Packages
        100 /var/lib/dpkg/status

I'm not using or starting ufw... i have a customized script to load iptables rules on this system...

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: ufw 0.33-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-11.11-generic 3.5.2
Uname: Linux 3.5.0-11-generic i686
ApportVersion: 2.4-0ubuntu8
Architecture: i386
Date: Tue Aug 21 20:02:32 2012
ExecutablePath: /usr/sbin/ufw
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Release Candidate i386 (20100419.1)
InterpreterPath: /usr/bin/python3.2mu
PackageArchitecture: all
ProcCmdline: /usr/bin/python3 /usr/sbin/ufw app update all
PythonArgs: ['/usr/sbin/ufw', 'app', 'update', 'all']
SourcePackage: ufw
Title: ufw crashed with Perhaps ip6tables or your kernel needs to be upgraded. in get_netfilter_capabilities()
UpgradeStatus: Upgraded to quantal on 2012-08-15 (6 days ago)
UserGroups:

See original description
Revision history for this message
marcobra (Marco Braida) (marcobra) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Changed in ufw (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

People have also commented in bug #194844 and bug #1069097 that they are encountering this problem.

information type: Private → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ufw (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → quantal-updates
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should be fixed in 0.33-0ubuntu2 (already in quantal-updates) and looks to be a duplicate of bug #1044361. Please re-open if this is in error.

Changed in ufw (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: quantal-updates → none
status: Triaged → Confirmed
Revision history for this message
Sławomir Nizio (snizio) wrote :

It's not fixed for me. :(
ufw 0.33 -r800, kernel with ipv6.disable=1, ipv6 disabled in /etc/default/ufw, iptables has ipv6 support, ip6tables exists

# ufw deny out to a.b.c.d
ERROR: initcaps
[Errno 2] ip6tables v1.4.16.3: can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks, I can reproduce now.

Changed in ufw (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
summary: ufw crashed with Perhaps ip6tables or your kernel needs to be upgraded.
- in get_netfilter_capabilities()
+ in get_netfilter_capabilities() when using ipv6.disable=1
Changed in ufw (Ubuntu Quantal):
importance: Undecided → Medium
Changed in ufw:
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Quantal):
status: New → Triaged
Changed in ufw:
status: New → In Progress
Changed in ufw (Ubuntu Quantal):
milestone: none → quantal-updates
Jamie Strandboge (jdstrand)
Changed in ufw:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand)
description: updated
Changed in ufw (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Changed in ufw (Ubuntu Raring):
status: Triaged → In Progress
Changed in ufw (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Sławomir Nizio (snizio) wrote :

Indeed fixed - awesome. Just a note: I don't know if it's a problem or not, but on kernels working this way, rules like 'ufw deny out 1234' skip adding the rule for IPv6 (IPV6=yes) silently.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

0.33-0ubuntu3 uploaded to raring-proposed.

Changed in ufw (Ubuntu Raring):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.33-0ubuntu3

---------------
ufw (0.33-0ubuntu3) raring-proposed; urgency=low

  * debian/patches/0004-lp1039729.patch: Skip get_netfilter_capabilities()
    with ipv6 if ipv6 is disabled (LP: #1039729)
  * debian/watch: use https instead of http
 -- Jamie Strandboge <email address hidden> Tue, 04 Dec 2012 07:56:34 -0600

Changed in ufw (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

S. Nizio - I'm not sure I understand-- if people disable IPv6 in their kernel they should also adjust IPV6 to 'no' in /etc/default/ufw. If you feel the behavior is a bug, can you create a new bug and describe the exact steps to reproduce? Thanks.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 0.33-0ubuntu2.1 to quantal-proposed and subscribing ubuntu-sru.

Revision history for this message
Sławomir Nizio (snizio) wrote :

> if people disable IPv6 in their kernel they should also adjust IPV6 to 'no' in /etc/default/ufw
Yes, that's what they should do. But if for some reason they didn't, I would expect a warning. (I don't recall if old ufw shows one or not.) However it doesn't really bug me; if you feel it's something that should be fixed, I can open a new bug so it's not lost, and otherwise we can forget it for now.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to quantal-proposed, waiting for ubuntu-sru to accept it.

Changed in ufw (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello marcobra, or anyone else affected,

Accepted ufw into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ufw/0.33-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
marcobra (Marco Braida) (marcobra) wrote :

apt-cache policy ufw
ufw:
  Installato: 0.33-0ubuntu2.1
  Candidato: 0.33-0ubuntu2.1
  Tabella versione:
 *** 0.33-0ubuntu2.1 0
        500 http://archive.ubuntu.com/ubuntu/ quantal-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     0.33-0ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ quantal/main i386 Packages

lsb_release -crd
Description: Ubuntu 12.10
Release: 12.10
Codename: quantal

Seem fixed...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I also verified the test cases. Based on Marco's feedback and my testing, marking 'verification-done'

tags: added: verification-done
removed: verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.33-0ubuntu2.1

---------------
ufw (0.33-0ubuntu2.1) quantal-proposed; urgency=low

  * debian/patches/0004-lp1039729.patch: Skip get_netfilter_capabilities()
    with ipv6 if ipv6 is disabled (LP: #1039729)
 -- Jamie Strandboge <email address hidden> Tue, 04 Dec 2012 09:28:20 -0600

Changed in ufw (Ubuntu Quantal):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.