[pkg-netfilter-team] Bug#949739: iptables: ufw fails with iptables 1.8.4-2
Ximin Luo
infinity0 at debian.org
Mon Feb 10 13:35:58 GMT 2020
Control: reassign -1 ufw
Control: severity -1 grave # breaks security software
ufw needs to be patched/updated to call iptables{,6}-legacy-{save,restore}.
In the meantime, iptables 1.8.3 is no longer in Debian, but the user can work around this by doing `sudo update-alternatives --config ip{,6}tables` and using the legacy commands accordingly.
You might need to restart your computer as well. I tried restarting ufw and even running `iptables -F` and `-X` but my system was still entirely screwed (all internet blocked) even when iptables seemingly had no rules, and only was fixed until after I restarted.
X
On Fri, 24 Jan 2020 12:53:08 +0100 Peje Nilsson <peje66 at gmail.com> wrote:
> Package: iptables
> Version: 1.8.4-2
> Severity: important
>
> Dear Maintainer,
>
> * What led up to the situation?
> Upgraded iptables to latest unstable and then restarted ufw.
>
> root:~# iptables --version
> iptables v1.8.4 (nf_tables)
> root:~# ufw disable
> Firewall stopped and disabled on system startup
> root:~# ufw enable
> ERROR: problem running ufw-init
> iptables-restore: COMMIT expected at line 19
> ip6tables-restore: COMMIT expected at line 19
>
> Problem running '/etc/ufw/user.rules'
> Problem running '/etc/ufw/user6.rules'
>
> root:~# ping -n 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> ^C
> --- 8.8.8.8 ping statistics ---
> 9 packets transmitted, 0 received, 100% packet loss, time 8184ms
>
> root:~# ufw disable
> Firewall stopped and disabled on system startup
> root:~# ping -n 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=9.18 ms
> 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=9.01 ms
> 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=9.13 ms
> ^C
> --- 8.8.8.8 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
> rtt min/avg/max/mdev = 9.013/9.105/9.177/0.068 ms
>
> Downgrading to iptables 1.8.3-2 makes things work again:
>
> root:~# iptables --version
> iptables v1.8.3 (nf_tables)
> root:~# ufw enable
> Firewall is active and enabled on system startup
> root:~# ping -n 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=9.00 ms
> 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=9.01 ms
> ^C
> --- 8.8.8.8 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 8.999/9.002/9.006/0.003 ms
>
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
> 'experimental')
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the pkg-netfilter-team
mailing list