Add LIMIT rule for ipv6

Bug #951462 reported by Guilhem Lettron on 2012-03-10
30
This bug affects 7 people
Affects Status Importance Assigned to Milestone
ufw
Status tracked in Trunk
0.31
Wishlist
Jamie Strandboge
Trunk
Wishlist
Jamie Strandboge
ufw (Ubuntu)
Wishlist
Jamie Strandboge
Quantal
Wishlist
Jamie Strandboge

Bug Description

For the moment, if we add a LIMIT rule for ipv6, it result in :
# ufw limit openssh
Skipping unsupported IPv6 'limit' rule

I think this rule exist in iptables6, or at least it must add an "ALLOW" rule (I think).

Jamie Strandboge (jdstrand) wrote :

limit was not always supported with IPv6. It seems to be now, so ufw should use it when it is supported by iptables.

Changed in ufw (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Patrick Fasano (kc9jud) wrote :

Any idea what the best way to check if IPv6 LIMIT is supported?

Changed in ufw:
status: New → Triaged
importance: Undecided → Wishlist
Jamie Strandboge (jdstrand) wrote :

What should happen is at the time of the check, ufw should:
1. add a test chain that isn't referenced by anything: ip6tables -N ufw6-test
2. Add test rules to the test chain:
ip6tables -A ufw6-test -m state --state NEW -m recent --set
ip6tables -A ufw6-test -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
3. Clean up the test chain
ip6tables -F ufw6-test
ip6tables -X ufw6-test

If the test rules load in step 2, then we have the support we need for limit to work.

Jamie Strandboge (jdstrand) wrote :

Actually, it isn't quite that simple. We need to do the above, but the code needs to be adjusted to handle it as there are several places the code avoids ufw6 chains when dealing with limit rules.

Jamie Strandboge (jdstrand) wrote :

Having a way to get the capabilities set of the running system is something that has been needed for a long time. This is now implemented in trunk in ufw.util.get_netfilter_capabilities(). This will be used by the backend to query the caps on invocation, and then later to check the caps when setting up the limit rules.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

The branch I just added has preliminary support. I need to add test cases, etc to it and this will be fixed in the next release of ufw. I'd like to see this in Ubuntu 12.04 too, so I will probably also create a new 0.31.2 with this functionality.

Changed in ufw (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Wishlist
Jamie Strandboge (jdstrand) wrote :

Adding rls-q-notfixing tag so it doesn't show up on the list. I do hope to fix it in 12.10 in my spare time, but not at the expense of other work.

tags: added: rls-q-notfixing
Patrick Fasano (kc9jud) wrote :

Okay, so it's not as simple as simply checking the version of ip6tables or of the netfilter module... gotcha. :-)

As a side note, getting this pushed back into 12.04 would be greatly appreciated -- I (and I assume many other people) would prefer to keep their servers on an LTS release.

Jamie Strandboge (jdstrand) wrote :

This is now implemented in trunk, with test cases.

Jamie Strandboge (jdstrand) wrote :

Backported to 0.31.

Changed in ufw (Ubuntu Precise):
milestone: none → precise-updates
Jamie Strandboge (jdstrand) wrote :

Upstream 0.31.2 is now released.

Changed in ufw (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

This is now fixed in trunk and ufw 0.33.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.33-0ubuntu1

---------------
ufw (0.33-0ubuntu1) quantal; urgency=low

  * New upstream release. Fixes the following bugs:
    - also use correct ports for DHCPv6. Thanks to Marco Davids (LP: #1007326)
    - add IPv6 limit support (LP: #951462)
    - add zh_TW translation (LP: #868195)
    - add 'show added' report (LP: #987784)
    - remove ACCEPT_NO_TRACK option since it never worked (LP: #787955)
  * debian/(after|before)6.rules.md5sum: adjust for recently missed shipped
    configurations
 -- Jamie Strandboge <email address hidden> Fri, 17 Aug 2012 14:32:01 -0500

Changed in ufw (Ubuntu Quantal):
status: Triaged → Fix Released
Pali (pali) wrote :

Can you backport this ipv6 limit support for ubuntu precise?

no longer affects: ufw (Ubuntu Precise)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers