iptable_filter and ip6table_filter do not auto load
Bug #1496419 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
High
|
John Lenton | ||
ubuntu-core-config (Ubuntu) |
Fix Released
|
High
|
Oliver Grawert |
Bug Description
If running a snap with custom confinement that is allowed to manipulate netfilter, iptable_filter and ip6table_filter are not loaded in the kernel and do not autoload (and we don't want to allow module loading for the snap). This can be tested by using 'iptables -L -n' or 'ip6tables -L -n' under confinement. Once they are loaded, other netfilter modules seem to autoload correctly. This bug could be solved in a number of ways:
- make sure iptable_filter and ip6table_filter are loaded on boot
- adjust iptable_filter and ip6table_filter to autoload
- adjust the documentation to require the new snappy config mechanism for loading iptable_filter and ip6tables_filter for a firewall snap
Related branches
lp:~chipaca/snappy/config-modules
- Oliver Grawert: Approve
- Michael Vogt (community): Approve
-
Diff: 444 lines (+296/-10)2 files modifiedcoreconfig/config.go (+107/-6)
coreconfig/config_test.go (+189/-4)
Changed in ubuntu-core-config (Ubuntu): | |
assignee: | nobody → Oliver Grawert (ogra) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in snappy: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → John Lenton (chipaca) |
Changed in snappy: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
seems to need /etc/modules-load.d dir in writable-paths in ubuntu-core-config