knockd can't load modules, e.g. ip6_tables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
knockd (Debian) |
Fix Released
|
Unknown
|
|||
knockd (Ubuntu) |
Fix Released
|
Medium
|
Dan Streetman | ||
Bionic |
Fix Released
|
Medium
|
Dan Streetman | ||
Cosmic |
Fix Released
|
Medium
|
Dan Streetman | ||
Disco |
Fix Released
|
Medium
|
Dan Streetman | ||
Eoan |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
[impact]
knockd's systemd service restricts its capabilities, so it's unable to load modules needed for changing iptables rules, e.g. ip6_tables module
[test case]
install knockd, edit /etc/default/knockd to enable it, edit /etc/knockd.conf to create a test rule, e.g.:
[test]
sequence = 5000,5001,5002
seq_timeout = 5
command = ufw allow proto tcp from any to any port 22
make sure ip6_tables is not loaded on the test system.
from a separate system, perform the knocking (using the appropriate ip address):
$ knock -d 500 192.168.122.237 5000 5001 5002
check the syslog:
Apr 23 10:50:36 lp1823051 knockd[3628]: ERROR: initcaps
Apr 23 10:50:36 lp1823051 knockd[3628]: [Errno 2] modprobe: ERROR: could not insert 'ip6_tables': Operation not permitted
[regression potential]
low; any regressions would be around loading/unloading modules.
Changed in knockd (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Disco): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Eoan): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Bionic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Ubuntu Cosmic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Ubuntu Disco): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Ubuntu Eoan): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Debian): | |
status: | Unknown → New |
Changed in knockd (Debian): | |
status: | New → Fix Released |
Sponsored in 'Eoan'
Proposal patch LGTM.
I don't see any debian bug against 'knockd'. Could you please make sure to forward the patch to debian as well for future sync/merge.
- Eric