Some ICMPv6 packets rejected due to rule ordering

Bug #1509725 reported by Saikrishna Arcot on 2015-10-24
This bug report is a duplicate of:  Bug #1664133: ipv6 multicast pings don't return. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Undecided
Unassigned

Bug Description

In the default before6.rules file, the following lines:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

are present before the ICMPv6 rules. The problem is that this also captures echo replies (but, somehow, allows echo requests) and some IPv6 routing announcements. If I try to ping ff02::1 to ping all devices on the local network, I only get a response from my own device.

Moving those three lines towards the end of the file (after all ICMP rules and before the COMMIT) fixes the issue.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: ufw 0.34-2
Uname: Linux 4.3.0-rc5arcot x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: KDE
Date: Sat Oct 24 18:07:40 2015
InstallationDate: Installed on 2012-10-19 (1099 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
PackageArchitecture: all
SourcePackage: ufw
UpgradeStatus: Upgraded to wily on 2015-02-28 (238 days ago)
mtime.conffile..etc.ufw.sysctl.conf: 2015-08-08T23:49:55.322401

Saikrishna Arcot (saiarcot895) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.36-1

---------------
ufw (0.36-1) unstable; urgency=medium

  * New upstream release (LP: #1782384, LP: #1664133, LP: #1509725,
    LP: #1695718, LP: #1719211, LP: #1775043, LP: #1204579, LP: #1652163,
    LP: #1377600, Closes: 686248, LP: #1368411, LP: #1586258, Closes: 909163,
    Closes: 884932, LP: #1558068)
    - drop 0002-bug849628.patch (included upstream)
    - drop 0003-use-default-tcp-syncookies.patch (included upstream)
    - drop 0004-lp1633698.patch (included upstream)
  * Remaining changes:
    - 0001-optimize-boot.patch
  * debian/ufw.maintscript: remove /etc/bash_completion.d/ufw on upgrade
    (LP: #1602834)
  * debian/control: remove no longer needed xs-python-version and
    x-python3-version fields
  * update debian/before6.rules.md5sum for file shipped in 0.35-6. While both
    before.rules and before6.rules were updated in this new upstream release,
    0.35-6 mistakenly already had its own md5sum for before.rules, so we don't
    need to add it now.

 -- Jamie Strandboge <email address hidden> Fri, 14 Dec 2018 17:50:47 +0000

Changed in ufw (Ubuntu):
status: New → Fix Released

An upload of ufw to cosmic-proposed has been rejected from the upload queue for the following reason: "All bugs mentioned in the .changes file (so therefore also in the new debian/changelog entries) need to comply with SRU standards (test-case, regression potential). Please re-upload after filling out the required info or modify changelog to exclude irrelevant bug numbers.".

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers