ufw

Comment updates for rules don't work as advertised by the manpages

Bug #1927737 reported by paul janssen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Undecided
Unassigned

Bug Description

Manpage snippet:
'''
Both syntaxes support specifying a comment for the rule. For existing rules, specifying a differ‐
ent comment updates the comment and specifying '' removes the comment.
'''

Actual behavior (no comment updates in case the rule already exists):
'''
~$ sudo ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.

~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any comment "Jadajadjada"
Rule inserted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any comment "Boomshakalak"
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw delete reject from 123.123.123.123 to any
Rule deleted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment "Boomshakalak"
Rule inserted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment "Jadajadajda"
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment
ERROR: Option 'comment' missing required argument
~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment ""
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw delete reject from 123.123.123.123 to any comment ""
Rule deleted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$
'''

Revision history for this message
Jamie Strandboge (jdstrand) wrote (last edit ):

Thanks for the report! The issue here is that you are using 'prepend' (which is like 'insert') instead of allow/reject/deny and ufw is operating as intended. I'll adjust the man page to make this clearer.

Changed in ufw:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers