touch-preview-images

kernel config does not support ufw firewall

Bug #1191197 reported by Jamie Strandboge on 2013-06-15

This bug affects 1 person

	Status	Importance	Assigned to
touch-preview-images	Fix Released	Undecided	Unassigned
linux-grouper (Ubuntu)	Fix Released	Medium	Tim Gardner
linux-maguro (Ubuntu)	Fix Released	Undecided	Tim Gardner
linux-mako (Ubuntu)	Fix Released	Medium	Tim Gardner
linux-manta (Ubuntu)	Fix Released	Undecided	Tim Gardner
ufw (Ubuntu)	Fix Released	Medium	Jamie Strandboge

Bug Description

The phablet image kernels (tested on nexus 4 and nexus 7) don't have enough netfilter options enabled to use ufw. ufw is the default firewall in Ubuntu and the indicator-network will have firewall support for the converged device if not sooner. ufw has a tool to test if the necessary kernel config is setup-- can we get our phablet kernel config to pass these tests? (note, test that are 'FAIL (no runtime support)' don't strictly have to be enabled, though it would be nice).

To test:

$ sudo apt-get install ufw
$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python2.7, version: 2.7.5+, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: FAIL
hashlimit: pass
limit: pass
state (NEW): pass
state (RELATED): pass
state (ESTABLISHED): pass
state (INVALID): pass
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): FAIL
addrtype (MULTICAST): FAIL
addrtype (BROADCAST): FAIL
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: FAIL
hashlimit: pass
limit: pass
state (NEW): pass
state (RELATED): pass
state (ESTABLISHED): pass
state (INVALID): pass
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

In addition to the above, I noticed these IPV6 rules also fail (I need to add a check to check-requirements for that):
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

I added tasks for the linux-nexus4 and linux-nexus7 kernels. Not sure what other kernels should be added, if any.

See original description

Tags:

Related branches

lp:ubuntu/saucy-proposed/ufw

lp:ubuntu/saucy-proposed/linux-grouper

lp:ubuntu/saucy-proposed/linux-maguro

lp:ubuntu/saucy-proposed/linux-manta

Jamie Strandboge (jdstrand) on 2013-06-15

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-06-15:

Added a ufw task to add a check for -m rt --rt-type 0

Changed in ufw (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → In Progress

Jamie Strandboge (jdstrand) on 2013-06-15

tags:	added: bot-stop-nagging
description:	updated

Jamie Strandboge (jdstrand) on 2013-06-15

Changed in ufw (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-15:

This bug was fixed in the package ufw - 0.33-0ubuntu4

---------------
ufw (0.33-0ubuntu4) saucy; urgency=low

* debian/patches/0005-lp1191197.patch: add check for -m rt --rt-type 0
(LP: #1191197)
-- Jamie Strandboge <email address hidden> Sat, 15 Jun 2013 07:48:37 -0500

Changed in ufw (Ubuntu):
status:	Fix Committed → Fix Released

Jamie Strandboge (jdstrand) on 2013-06-17

description:

updated

Joseph Salisbury (jsalisbury) on 2013-06-17

Changed in ufw (Ubuntu):
importance:	Undecided → Medium
Changed in linux-nexus7 (Ubuntu):
importance:	Undecided → Medium
Changed in linux-nexus4 (Ubuntu):
importance:	Undecided → Medium
tags:	added: nexus4-kernel nexus7-kernel
tags:	added: kernel-da-key
Changed in touch-preview-images:
status:	New → Confirmed
Changed in linux-nexus4 (Ubuntu):
status:	New → Confirmed
Changed in linux-nexus7 (Ubuntu):
status:	New → Confirmed

Tim Gardner (timg-tpi) on 2013-06-17

affects:	linux-nexus4 (Ubuntu) → linux-mako (Ubuntu)
Changed in linux-mako (Ubuntu):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	Confirmed → In Progress
affects:	linux-nexus7 (Ubuntu) → linux-grouper (Ubuntu)
Changed in linux-grouper (Ubuntu):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	Confirmed → In Progress

Tim Gardner (timg-tpi) on 2013-06-17

Changed in linux-maguro (Ubuntu):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-18:

This bug was fixed in the package linux-mako - 3.4.0-3.11

---------------
linux-mako (3.4.0-3.11) saucy; urgency=low

  * UBUNTU: [Config] Enable and modularize all netfilter matches
    LP: #1191197
  * UBUNTU: SAUCE: pm8921: add charge_now, charge_empty and charge_full
  * ARM: fix warnings about atomic64_read
-- Tim Gardner <email address hidden> Mon, 17 Jun 2013 09:25:04 -0600

Changed in linux-mako (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-18:

This bug was fixed in the package linux-grouper - 3.1.10-5.13

---------------
linux-grouper (3.1.10-5.13) saucy; urgency=low

  * UBUNTU: [Config] Enable and modularize all netfilter matches
    -LP: #1191197
  * UBUNTU: Sync enforcer with master
  * UBUNTU: [Config] CONFIG_FRAMEBUFFER_CONSOLE=y
  * UBUNTU: [Config] CONFIG_BLK_DEV_RAM=y
  * UBUNTU: [Config] CONFIG_SYN_COOKIES=y
-- Tim Gardner <email address hidden> Fri, 14 Jun 2013 13:45:43 -0600

Changed in linux-grouper (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-18:

This bug was fixed in the package linux-maguro - 3.0.0-3.6

---------------
linux-maguro (3.0.0-3.6) saucy; urgency=low

* UBUNTU: [Config] Enable and modularize all netfilter matches
-LP: #1191197
-- Tim Gardner <email address hidden> Mon, 17 Jun 2013 13:40:52 -0600

Changed in linux-maguro (Ubuntu):
status:	In Progress → Fix Released

Tim Gardner (timg-tpi) on 2013-06-18

Changed in linux-manta (Ubuntu):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-18:

This bug was fixed in the package linux-manta - 3.4.0-4.9

---------------
linux-manta (3.4.0-4.9) saucy; urgency=low

* UBUNTU: [Config] Enable and modularize all netfilter matches
-LP: #1191197
-- Tim Gardner <email address hidden> Tue, 18 Jun 2013 07:14:22 -0600

Changed in linux-manta (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-06-25:

FYI, while these kernels are reported as fixed, /usr/share/ufw/check-requirements -f still fails. Eg, on grouper JENKINS_BUILD=saucy-24:
Has python: pass (binary: python2.7, version: 2.7.5+, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
limit: FAIL
state (NEW): FAIL
state (RELATED): FAIL
state (ESTABLISHED): FAIL
state (INVALID): FAIL
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): FAIL
interface (input): pass
interface (output): pass
multiport: FAIL
comment: FAIL
addrtype (LOCAL): FAIL
addrtype (MULTICAST): FAIL
addrtype (BROADCAST): FAIL
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
limit: FAIL
state (NEW): FAIL
state (RELATED): FAIL
state (ESTABLISHED): FAIL
state (INVALID): FAIL
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): FAIL
interface (input): pass
interface (output): pass
multiport: FAIL
comment: FAIL
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): FAIL
icmpv6 with hl (neighbor-advertisement): FAIL
icmpv6 with hl (router-solicitation): FAIL
icmpv6 with hl (router-advertisement): FAIL
ipv6 rt: FAIL

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
limit: FAIL
state (NEW): FAIL
state (RELATED): FAIL
state (ESTABLISHED): FAIL
state (INVALID): FAIL
state (new, recent set): FAIL (no runtime support)
state (new, recent update): FAIL (no runtime support)
state (new, limit): FAIL
interface (input): pass
interface (output): pass
multiport: FAIL
comment: FAIL
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): FAIL
icmpv6 with hl (neighbor-advertisement): FAIL
icmpv6 with hl (router-solicitation): FAIL
icmpv6 with hl (router-advertisement): FAIL
ipv6 rt: FAIL

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-06-25:

After discussing with ogra, filed bug #1194549 which is the next step to having ufw work on the phablet images.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-06-25:

Marking touch-preview-images task as complete since the kernels now are fixed, but see bug #1194549 for next steps.

Changed in touch-preview-images:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.