ufw needs hooks to execute commands pre/post firewall startup/shutdown

Bug #1075975 reported by Robert Lange on 2012-11-07
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Jamie Strandboge
ufw (Ubuntu)
Jamie Strandboge

Bug Description

Some commands related to iptables must be executed in conjunction with starting/stopping a firewall in order for the correct operation of the firewall. UFW currently does not provide the ability to run those commands without hacking its source code.

My specific use case: I must deploy machines to my customer, on which I must block certain countries' IP ranges. The most efficient method of doing this is to use the ipset utilities. I can insert ipset-matching firewall rules via iptables commands in the /etc/ufw/before.rules script. However, this will fail if I do not first execute ipset commands to define the respective ipsets.

My current workaround choices are:

1) Write a separate init script to define ipsets and configure it to execute before ufw. I don't like this option because user error could cause this script to not execute first, and then ufw would not start properly.

2) Hack ufw init scripts (/lib/ufw/ufw-init-functions) to make the necessary calls before actually starting the firewall. This is the option I went with. However, I don't like it, because now I must maintain a forked version of ufw and make sure that it is preferred over the official version.

My proposal:

Implement 4 hook shell script files that are called by UFW's init scripts pre-start, post-start, pre-stop, and post-stop. These should be stored in /etc/ufw/ and marked as config files so that they are not overwritten on ufw upgrade. They should default to being empty scripts, and sysadmins could then choose to populate them with whatever commands are necessary for their individual deployments.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: ufw 0.33-0ubuntu2
ProcVersionSignature: Ubuntu 3.5.0-17.28-generic 3.5.5
Uname: Linux 3.5.0-17-generic x86_64
ApportVersion: 2.6.1-0ubuntu6
Architecture: amd64
Date: Wed Nov 7 09:13:03 2012
InstallationDate: Installed on 2011-08-29 (435 days ago)
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to quantal on 2012-10-22 (15 days ago)

Related branches

Robert Lange (rcl24) wrote :
Jamie Strandboge (jdstrand) wrote :

Thank you for filing a bug. I think this is an interesting request and would be generally useful.

Changed in ufw (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

This is committed in r807 of trunk. The implementation is slightly different than what was suggested, but achieves the same result. if /etc/ufw/before.init and /etc/ufw/after.init exist and are executable, ufw-init will call them at appropriate times with one of the following arguments: start, stop, status, and flush-all.

In Ubuntu, before.init and after.init will be shipped with 0640 permissions and as config files, not as conffiles. This way administrators will be free to modify these files without dpkg prompts on upgrades.

Changed in ufw:
status: New → Fix Committed
importance: Undecided → Wishlist
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu):
status: Triaged → In Progress
Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.34~rc-0ubuntu1

ufw (0.34~rc-0ubuntu1) trusty; urgency=medium

  * New upstream pre-release (LP: #1059060, #1065297, #1062521, #1101304,
    LP: #1075975, #1089262, #262421)
  * Dropped the following patches now included upstream:
    - 0002-lp1044361.patch
    - 0003-fix-typeerror-on-error.patch
    - 0004-lp1039729.patch
    - 0005-lp1191197.patch
  * Remaining changes:
    - 0001-optimize-boot.patch: only read in /etc/ufw/ufw.conf when disabled
  * debian/before[6].rules.md5sum: adjusted for new release
  * debian/control: update Standards-Version to 3.9.5
  * debian/rules:
    - only ship /usr/share/ufw/iptables/*rules and not /usr/share/ufw/
    - *.init files should also be config files
  * debian/ufw.links: added to makes symlinks from /usr/share/ufw/iptables/*
    to /usr/share/ufw/ (so ucf is happy on upgrades)
  * debian/ufw.postinst:
    - use TEMPLATE_PATH/iptables/*rules instead of TEMPLATE_PATH/*rules (not
      strictly required since we are using dh_link, but makes the intent
    - copy /usr/share/ufw/*.init in to /etc/ufw
 -- Jamie Strandboge <email address hidden> Thu, 20 Feb 2014 09:23:54 -0600

Changed in ufw (Ubuntu):
status: In Progress → Fix Released
Changed in ufw:
milestone: none → 0.34
Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers