ufw

Comment updates for rules don't work as advertised by the manpages

Bug #1927737 reported by paul janssen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Low
Jamie Strandboge

Bug Description

Manpage snippet:
'''
Both syntaxes support specifying a comment for the rule. For existing rules, specifying a differ‐
ent comment updates the comment and specifying '' removes the comment.
'''

Actual behavior (no comment updates in case the rule already exists):
'''
~$ sudo ufw version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.

~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any comment "Jadajadjada"
Rule inserted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any comment "Boomshakalak"
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw prepend reject from 123.123.123.123 to any
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Jadajadjada
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw delete reject from 123.123.123.123 to any
Rule deleted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment "Boomshakalak"
Rule inserted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment "Jadajadajda"
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment
ERROR: Option 'comment' missing required argument
~$ sudo ufw insert 1 reject from 123.123.123.123 to any comment ""
Skipping inserting existing rule
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 123.123.123.123 # Boomshakalak
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$ sudo ufw delete reject from 123.123.123.123 to any comment ""
Rule deleted
~$ sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 111.111.111.111 # <comment>
Anywhere REJECT IN 222.222.222.222 # <comment>

~$
'''

Revision history for this message
Jamie Strandboge (jdstrand) wrote (last edit ):

Thanks for the report! The issue here is that you are using 'prepend' (which is like 'insert') instead of allow/reject/deny and ufw is operating as intended. I'll adjust the man page to make this clearer.

Changed in ufw:
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 0.36.2.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.