ufw

"delete" should accept multiple parameters

Bug #1859151 reported by Benjamin Flesch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Triaged
Wishlist
Unassigned

Bug Description

TLDR: ufw delete should accept more than one "NUM" parameter to improve UX.

Long:
When using ipv6, each ufw use such as "ufw allow https" creates two distinct firewall rules, one for ipv4 and one for ipv6.

When the user wants to remove a firewall rule set this way, he/she needs to call "ufw status numbered" and then delete both rules, one by one. Example output of "ufw status numbered":

-----------------------------------------------------------------
     To Action From
     -- ------ ----
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 22/tcp (v6) LIMIT IN Anywhere (v6)
[ 5] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 443/tcp (v6) ALLOW IN Anywhere (v6)
-----------------------------------------------------------------

If user wants to get rid of HTTP rule, two commands need to be run: "ufw delete 2" and "ufw delete 5".

But after successful run of "ufw delete 2", the whole output of "ufw status numbered" changes:

-----------------------------------------------------------------
     To Action From
     -- ------ ----
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 22/tcp (v6) LIMIT IN Anywhere (v6)
[ 4] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 443/tcp (v6) ALLOW IN Anywhere (v6)
-----------------------------------------------------------------

.. and now "ufw delete 5" will delete the ipv6 HTTPS (443) rule instead of the ipv6 HTTP (80) rule - which might not be intended by the user. Ooops!

In my eyes this is a UX problem insofar that it's very easy for the user to accidently remove the wrong rules.

As UFW aims to improve firewall UX, I propose that we add a way to allow the user to remove both rules at the same time, such as:

"ufw delete 2 5"

This would streamline the UX, because:
- no second call to "ufw status numbered" is needed for the user
- the chance of operator errors is reduced

Revision history for this message
Benjamin Flesch (bflesch) wrote :

I'm happy to create a PR for this if the concensus is that we should add this feature.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for the report.

Note that ufw already supports this removing rules of the type that you described like so:

$ sudo ufw allow 23
Rule added
Rule added (v6)

$ sudo ufw delete allow 23
Rule deleted
Rule deleted (v6)

It would probably be beneficial to add functionality to all deleting multiple numbered rules besides the one mentioned.

I'm going to be doing some ufw updates in the coming weeks that touch this area of the code and will try to squeeze it in then.

Changed in ufw:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Benjamin Flesch (bflesch) wrote :

Dear Jamie,

if I try "ufw delete #number", I get prompted "proceed with operation (y|n)". This is yet another UX problem.

I love ufw, but want to work on making it more user-friendly. Is there willingness to work towards this goal from you as a maintainer? Or should I fork?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Why is confirmation another UX problem? You can specify --force if you don't want the confirmation. Eg:

$ sudo ufw --force delete 23
Rule deleted
$

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

As for a willingness to work towards the goal of more user-friendliness, yes, absolutely. I unfortunately got sidetracked and didn't get to adding the ability to remove multiple numbered rules yet. As it happens, most of that other work is done and I will be spending some time on ufw in the coming weeks and that will include touching code in this area (and therefore me being able to sneak this in).

Revision history for this message
Benjamin Flesch (bflesch) wrote :

Hi Jamie,

thanks so much for your quick reply. I don't want to come across as snarky and just say that I really appreciate your contribution with ufw.

It'd be great if you find time to incorporate some of the suggestions. Otherwise I'd love to contribute on a PR for this project if that would make things easier for you.

Some further observations from your comment #2 re: prompting (y|n) for deletion

1) you were able to successfully run `ufw allow 23` and `ufw --force delete 123`
2) I tried to reproduce with `ufw allow 12345/udp` -> works
3) Problem: `ufw delete 12345/udp` -> Problem: "invalid syntax"
4) Ok, lets try to delete by number!
    `ufw delete 7 --force` -> Problem: "Proceed with operation (y|n)?" (--force is ignored)
5) Let's shift parameters
    `ufw delete --force 7` -> Problem: "invalid syntax"
6) Finally, let's put force in front of the operation I want to do
    `ufw --force delete 7` -> SUCCESS

This is just an example for a bigger issue I feel with ufw: The argument parsing library used in ufw feels not very modern, because I am used to be able to put most parameters in a random order. This does not work as expected with ufw.

Ps: on a more general note, if we want to make it "easy" for the user, it is often advised to just have an "undo" functionality instead of prompting user for confirmation very often. I know command line is often about the --force param and undo is mostly used in guis, but that's a recurring idea I have when working with ufw.

Revision history for this message
Benjamin Flesch (bflesch) wrote :

Also, it'd be great if ufw delete command had some aliases such as "remove", "del" - I keep using the wrong word over and over again.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.