ufw

please insert instead of appending before-logging targets

Bug #1121817 reported by Tomas Pospisek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Won't Fix
Undecided
Unassigned

Bug Description

Resumé:

because the "before-logging" targets are being *appended* to the rules, they miss logging any packets that were ACCEPTED by a previous rule.

Detailed problem case:

We're running ufw together with libvirt under Debian. This is certainly problematic in itself, since any such combination is suffering from the inherent non-composability of iptables commands.
However that combination does work for whatever reason, except for the logging.

Since libvirt gets to insert its own rules first and ufw only after those, so ufw's rules get visited only after libvirt's have been seen. That means if libvirt's rules ACCEPT a package for delivery f.ex. to be forwarded to a vibr0 bridge then then any of ufw's rules and in particular ufw's "before-logging" rules will not see the packet.

Analysis:

If there would be a rationale to only log "ufw's packets" that behaviour would be OK. However that policy doesn't seem to make sense: why would the user only want to see "ufw's packets" as opposed to seeing *all* packets entering the system?

Proposed solution:

Since logging rules are passive rules - that is they don't affect other rules in any way - I propose to *insert* the "before-logging" target rules at the beginning of the chains instead of appending them. That is:

# diff -u /lib/ufw/ufw-init-functions{.orig,}
--- /lib/ufw/ufw-init-functions.orig 2013-02-11 09:12:40.000000000 +0100
+++ /lib/ufw/ufw-init-functions 2013-02-11 09:17:49.000000000 +0100
@@ -209,21 +209,21 @@
 ":ufw${type}-track-input - [0:0]\n"\
 ":ufw${type}-track-output - [0:0]\n"\
 "\n"\
-"-A INPUT -j ufw${type}-before-logging-input\n"\
+"-I INPUT -j ufw${type}-before-logging-input\n"\
 "-A INPUT -j ufw${type}-before-input\n"\
 "-A INPUT -j ufw${type}-after-input\n"\
 "-A INPUT -j ufw${type}-after-logging-input\n"\
 "-A INPUT -j ufw${type}-reject-input\n"\
 "-A INPUT -j ufw${type}-track-input\n"\
 "\n"\
-"-A OUTPUT -j ufw${type}-before-logging-output\n"\
+"-I OUTPUT -j ufw${type}-before-logging-output\n"\
 "-A OUTPUT -j ufw${type}-before-output\n"\
 "-A OUTPUT -j ufw${type}-after-output\n"\
 "-A OUTPUT -j ufw${type}-after-logging-output\n"\
 "-A OUTPUT -j ufw${type}-reject-output\n"\
 "-A OUTPUT -j ufw${type}-track-output\n"\
 "\n"\
-"-A FORWARD -j ufw${type}-before-logging-forward\n"\
+"-I FORWARD -j ufw${type}-before-logging-forward\n"\
 "-A FORWARD -j ufw${type}-before-forward\n"\
 "-A FORWARD -j ufw${type}-after-forward\n"\
 "-A FORWARD -j ufw${type}-after-logging-forward\n"\

Revision history for this message
Tomas Pospisek (tpo-deb) wrote :
summary: - please insert instead of appending logging targets
+ please insert instead of appending before-logging targets
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting a bug.

"because the "before-logging" targets are being *appended* to the rules, they miss logging any packets that were ACCEPTED by a previous rule."

This is the intended design for default logging and if you want more logging, you're free to edit /etc/ufw/before.rules as desired.

Changed in ufw:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.