diff -Nru ufw-0.36/debian/changelog ufw-0.36/debian/changelog --- ufw-0.36/debian/changelog 2020-03-02 13:01:18.000000000 +0000 +++ ufw-0.36/debian/changelog 2020-04-02 12:05:30.000000000 +0000 @@ -1,3 +1,22 @@ +ufw (0.36-6) unstable; urgency=medium + + * 0009-empty-non-functioning-ipt-modules.patch: empty out IPT_MODULES and + update documentation regarding modern use of connection tracking modules. + ufw historically used IPT_MODULES in /etc/defaults/ufw to + load various connection tracking modules, but use of this mechanism has + been deprecated for some time. These days, the kernel defaults to + deactivating flows for various connection tracking modules so users have + to perform an extra sysctl step to use this old mechanism anyway, so empty + IPT_MODULES and better document use of connection tracking modules. A + future upload will introduce rule syntax for working with connection + tracking helper rules. (LP: #1556419) + * 0010-add-other-firewall-checks.patch: adjust the check-requirements + diagnostic tool to warn about other installed firewall software + * 0011-suppress-legacy-warnings-in-tests.patch: suppress iptables warnings + about legacy rules being present in root functional tests + + -- Jamie Strandboge Thu, 02 Apr 2020 12:05:30 +0000 + ufw (0.36-5) unstable; urgency=medium * debian/control: really fix Vcs-Git (use -b debian/master) and add diff -Nru ufw-0.36/debian/patches/0009-empty-non-functioning-ipt-modules.patch ufw-0.36/debian/patches/0009-empty-non-functioning-ipt-modules.patch --- ufw-0.36/debian/patches/0009-empty-non-functioning-ipt-modules.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.36/debian/patches/0009-empty-non-functioning-ipt-modules.patch 2020-04-02 12:05:30.000000000 +0000 @@ -0,0 +1,122 @@ +Author: Jamie Strandboge +Description: empty out IPT_MODULES and update documentation regarding modern + use of connection tracking modules. +Index: ufw-0.36/conf/ufw.defaults +=================================================================== +--- ufw-0.36.orig/conf/ufw.defaults ++++ ufw-0.36/conf/ufw.defaults +@@ -34,13 +34,14 @@ MANAGE_BUILTINS=no + # only enable if using iptables backend + IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf + +-# Extra connection tracking modules to load. Complete list can be found in +-# net/netfilter/Kconfig of your kernel source. Some common modules: ++# Extra connection tracking modules to load. IPT_MODULES should typically be ++# empty for new installations and modules added only as needed. See ++# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can ++# be found in net/netfilter/Kconfig of your kernel source. Some common modules: + # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support + # nf_conntrack_netbios_ns: NetBIOS (samba) client support + # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT + # nf_conntrack_ftp, nf_nat_ftp: active FTP support + # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) + # nf_conntrack_sane: sane support +-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" +- ++IPT_MODULES="" +Index: ufw-0.36/doc/ufw-framework.8 +=================================================================== +--- ufw-0.36.orig/doc/ufw-framework.8 ++++ ufw-0.36/doc/ufw-framework.8 +@@ -130,6 +130,11 @@ IPT_MODULES in #CONFIG_PREFIX#/default/u + nf_conntrack_tftp + nf_nat_tftp + nf_conntrack_sane ++.PP ++Unconditional loading of connection tracking modules (nf_conntrack_*) in this ++manner is deprecated. \fBufw\fR continues to support the functionality but new ++configuration should only contain the specific modules required for the site. ++For more information, see CONNECTION HELPERS. + + .SH "KERNEL PARAMETERS" + .PP +@@ -241,6 +246,51 @@ Add the necessary \fBufw\fR rules: + ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp + ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp + ++.SH "CONNECTION HELPERS" ++.PP ++Various protocols require the use of netfilter connection tracking helpers to ++group related packets into RELATED flows to make rulesets clearer and more ++precise. For example, with a couple of kernel modules and a couple of rules, a ++ruleset could simply allow a connection to FTP port 21, then the kernel would ++examine the traffic and mark the other FTP data packets as RELATED to the ++initial connection. ++.PP ++When the helpers were first introduced, one could only configure the modules as ++part of module load (eg, if your FTP server listened on a different port than ++21, you'd have to load the nf_conntrack_ftp module specifying the correct ++port). Over time it was understood that unconditionally using connection ++helpers could lead to abuse, in part because some protocols allow user ++specified data that would allow traversing the firewall in undesired ways. As ++of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for ++a given port and all IP addresses) is disabled (the old behavior can be ++restored by setting net/netfilter/nf_conntrack_helper=1 in ++#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT ++target to associate traffic with a particular helper and then set RELATED rules ++to use the helper. This allows sites to tailor the use of helpers and help ++avoid abuse. ++.PP ++In general, to use helpers securely, the following needs to happen: ++.IP 1. ++net/netfilter/nf_conntrack_helper should be set to 0 (default) ++.IP 2. ++create a rule for the start of a connection (eg for FTP, port 21) ++.IP 3. ++create a helper rule to associate the helper with this connection ++.IP 4. ++create a helper rule to associate a RELATED flow with this connection ++.IP 5. ++if needed, add the corresponding nf_conntrack_* module to IPT_MODULES ++.IP 6. ++optionally add the corresponding nf_nat_* module to IPT_MODULES ++.PP ++In general it is desirable to make connection helper rules as specific as ++possible and ensure anti\-spoofing is correctly setup for your site to avoid ++security issues in your ruleset. For more information, see ANTI\-SPOOFING, ++above, and . ++.PP ++Currently helper rules must be managed in via the RULES FILES. A future version ++of \fBufw\fR will introduce syntax for working with helper rules. ++ + .SH NOTES + .PP + When using ufw with libvirt and bridging, packets may be blocked. The +Index: ufw-0.36/tests/unit/test_backend.py +=================================================================== +--- ufw-0.36.orig/tests/unit/test_backend.py ++++ ufw-0.36/tests/unit/test_backend.py +@@ -41,8 +41,7 @@ class BackendTestCase(unittest.TestCase) + "drop") + self.assertEquals(self.backend.defaults['default_output_policy'], + "accept") +- self.assertEquals(self.backend.defaults['ipt_modules'], +- 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns') ++ self.assertTrue("ipt_modules" not in self.backend.defaults) + self.assertEquals(self.backend.defaults['loglevel'], 'low') + self.assertEquals(self.backend.defaults['manage_builtins'], 'no') + self.assertEquals(self.backend.defaults['enabled'], 'no') +Index: ufw-0.36/tests/unit/test_backend_iptables.py +=================================================================== +--- ufw-0.36.orig/tests/unit/test_backend_iptables.py ++++ ufw-0.36/tests/unit/test_backend_iptables.py +@@ -628,8 +628,7 @@ ports=80/tcp + def test__get_defaults(self): + '''Test _get_defaults()''' + self.backend._get_defaults() +- for k in ['ipt_modules', +- 'default_output_policy', ++ for k in ['default_output_policy', + 'default_input_policy', + 'default_forward_policy', + 'loglevel', diff -Nru ufw-0.36/debian/patches/0010-add-other-firewall-checks.patch ufw-0.36/debian/patches/0010-add-other-firewall-checks.patch --- ufw-0.36/debian/patches/0010-add-other-firewall-checks.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.36/debian/patches/0010-add-other-firewall-checks.patch 2020-04-02 12:05:30.000000000 +0000 @@ -0,0 +1,45 @@ +Author: Jamie Strandboge +Description: adjust check-requirements to look for other firewall software +Index: ufw-0.36/tests/check-requirements +=================================================================== +--- ufw-0.36.orig/tests/check-requirements ++++ ufw-0.36/tests/check-requirements +@@ -3,7 +3,7 @@ + # check-requirements: verify all the required iptables functionality is + # available + # +-# Copyright 2008-2014 Canonical Ltd. ++# Copyright 2008-2020 Canonical Ltd. + # + # This program is free software: you can redistribute it and/or modify + # it under the terms of the GNU General Public License version 3, +@@ -79,7 +79,7 @@ for i in "" 6; do + fi + + echo -n "Has $exe: " +- if ! which $exe >/dev/null 2>&1; then ++ if ! PATH=/sbin:/usr/sbin:/bin:/usr/bin which $exe >/dev/null 2>&1; then + echo "ERROR: could not find '$exe'" >&2 + error="yes" + else +@@ -253,6 +253,20 @@ for i in "" 6; do + } + done + ++# check and warn if various firewall applications are installed ++found= ++for exe in apf arno-iptables-firewall ferm firehol firewalld ipkungfu iptables-persistent netfilter-persistent pyroman uruk ; do ++ if PATH=/sbin:/usr/sbin:/bin:/usr/bin which "$exe" >/dev/null 2>&1; then ++ found="$found $exe" ++ fi ++done ++if [ ! -z "$found" ]; then ++ echo "WARN: detected other firewall applications:" ++ echo "$found" ++ echo "(if enabled, these applications may interfere with ufw)" ++ echo "" ++fi ++ + if [ -n "$error" ] || [ -n "$error_runtime" ]; then + if [ -n "$error" ]; then + echo "FAIL: check your kernel and that you have iptables >= 1.4.0" diff -Nru ufw-0.36/debian/patches/0011-suppress-legacy-warnings-in-tests.patch ufw-0.36/debian/patches/0011-suppress-legacy-warnings-in-tests.patch --- ufw-0.36/debian/patches/0011-suppress-legacy-warnings-in-tests.patch 1970-01-01 00:00:00.000000000 +0000 +++ ufw-0.36/debian/patches/0011-suppress-legacy-warnings-in-tests.patch 2020-04-02 12:05:30.000000000 +0000 @@ -0,0 +1,338 @@ +Author: Jamie Strandboge +Description: suppress iptables warnings about legacy rules being present + in root functional tests +Index: ufw-0.36/tests/root/bugs/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/bugs/runtest.sh ++++ ufw-0.36/tests/root/bugs/runtest.sh +@@ -24,7 +24,7 @@ echo "Bug #247352" >> $TESTTMP/result + do_cmd "0" --dry-run allow http/tcp + grep -A2 "tuple" $TESTCONFIG/user.rules >> $TESTTMP/result + echo "iptables -L -n:" >> $TESTTMP/result +-iptables -L -n | grep -A1 "80" >> $TESTTMP/result 2>&1 ++iptables -L -n 2>/dev/null | grep -A1 "80" >> $TESTTMP/result + do_cmd "0" delete allow http/tcp + grep -A2 "tuple" $TESTCONFIG/user.rules >> $TESTTMP/result + +@@ -33,12 +33,12 @@ echo "Setting IPV6 to no" >> $TESTTMP/re + sed -i "s/IPV6=.*/IPV6=no/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + echo "/lib/ufw/ufw-init flush-all:" >> $TESTTMP/result +-$TESTSTATE/ufw-init flush-all >> $TESTTMP/result 2>&1 ++$TESTSTATE/ufw-init flush-all 2>/dev/null >> $TESTTMP/result + do_cmd "0" nostats enable + echo "/lib/ufw/ufw-init force-reload:" >> $TESTTMP/result +-$TESTSTATE/ufw-init force-reload >> $TESTTMP/result 2>&1 ++$TESTSTATE/ufw-init force-reload 2>/dev/null >> $TESTTMP/result + echo "ip6tables -L -n:" >> $TESTTMP/result +-ip6tables -L -n >> $TESTTMP/result 2>&1 ++ip6tables -L -n 2>/dev/null >> $TESTTMP/result + + echo "Bug #260881" >> $TESTTMP/result + echo "Setting IPV6 to no" >> $TESTTMP/result +@@ -48,10 +48,10 @@ do_cmd "0" nostats enable + do_cmd "0" allow Apache + do_cmd "0" delete deny Apache + echo "iptables -L -n:" >> $TESTTMP/result +-iptables -L -n | grep -A1 "80" >> $TESTTMP/result 2>&1 ++iptables -L -n 2>/dev/null | grep -A1 "80" >> $TESTTMP/result + do_cmd "0" delete allow Apache + echo "iptables -L -n:" >> $TESTTMP/result +-iptables -L -n | grep -A1 "80" >> $TESTTMP/result 2>&1 ++iptables -L -n 2>/dev/null | grep -A1 "80" >> $TESTTMP/result + + echo "Bug #263308" >> $TESTTMP/result + echo "Setting IPV6 to yes" >> $TESTTMP/result +@@ -138,13 +138,13 @@ for ipv6 in yes no ; do + do_cmd "0" null logging $i + fi + do_cmd "0" null enable +- iptables-save | grep '^-' > $TESTTMP/ipt.enable +- ip6tables-save | grep '^-' > $TESTTMP/ip6t.enable ++ iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.enable ++ ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.enable + + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init stop + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init start +- iptables-save | grep '^-' > $TESTTMP/ipt.start +- ip6tables-save | grep '^-' > $TESTTMP/ip6t.start ++ iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.start ++ ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.start + + diff $TESTTMP/ipt.enable $TESTTMP/ipt.start || { + echo "'ufw enable' and 'ufw-init start' are different for loglevel '$i'" +@@ -166,7 +166,7 @@ for i in low on medium high full off off + if [ "$i" = "off" ]; then + e="1" + fi +- iptables-save | grep -q 'UFW LIMIT BLOCK' $TESTCONFIG/user.rules ++ iptables-save 2>/dev/null | grep -q 'UFW LIMIT BLOCK' $TESTCONFIG/user.rules + rc="$?" + if [ "$rc" != "$e" ]; then + echo "$i: got '$rc', expected '$e'" +@@ -181,7 +181,7 @@ do_cmd "0" nostats enable + for b in INPUT OUTPUT FORWARD; do + suffix=`echo $b | tr [A-Z] [a-z]` + echo "$count: iptables -L $b -n | egrep -q 'ufw-after-logging-$suffix'" >> $TESTTMP/result +- iptables -L "$b" -n | egrep -q "ufw-after-logging-$suffix" || { ++ iptables -L "$b" -n 2>/dev/null | egrep -q "ufw-after-logging-$suffix" || { + echo "'iptables -L $b -n' does not contain 'ufw-after-logging-$suffix'" + exit 1 + } +Index: ufw-0.36/tests/root/live/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/live/runtest.sh ++++ ufw-0.36/tests/root/live/runtest.sh +@@ -110,7 +110,7 @@ do + echo iptables -I INPUT -j ACCEPT -m comment --comment $str >> $TESTTMP/result + iptables -I INPUT -j ACCEPT -m comment --comment $str >> $TESTTMP/result + do_cmd "0" nostats enable +- iptables -n -L INPUT | grep "$str" >> $TESTTMP/result ++ iptables -n -L INPUT 2>/dev/null | grep "$str" >> $TESTTMP/result + iptables -D INPUT -j ACCEPT -m comment --comment $str 2>/dev/null + done + +@@ -213,21 +213,21 @@ do_cmd "0" nostats disable + do_cmd "0" nostats allow 23/tcp + do_cmd "0" nostats logging medium + do_cmd "0" null enable +-iptables-save | grep '^-' > $TESTTMP/ipt.enable +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.enable ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.enable ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.enable + + do_cmd "0" null disable +-iptables-save | grep '^-' > $TESTTMP/ipt.disable +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.disable ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.disable ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.disable + + sed -i 's/^ENABLED=no/ENABLED=yes/' $TESTPATH/etc/ufw/ufw.conf + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init start +-iptables-save | grep '^-' > $TESTTMP/ipt.start +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.start ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.start ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.start + + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init stop +-iptables-save | grep '^-' > $TESTTMP/ipt.stop +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.stop ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.stop ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.stop + + diff $TESTTMP/ipt.enable $TESTTMP/ipt.start || { + echo "'ufw enable' and 'ufw-init start' are different" +@@ -264,7 +264,7 @@ for l in off on low medium high full; do + for c in before-logging before after after-logging reject track ; do + suffix=`echo $b | tr [A-Z] [a-z]` + echo "$count: iptables -L $b -n | egrep -q 'ufw-$c-$suffix'" >> $TESTTMP/result +- iptables -L $b -n | egrep -q "ufw-$c-$suffix" || { ++ iptables -L $b -n 2>/dev/null | egrep -q "ufw-$c-$suffix" || { + echo "'iptables -L $b -n' does not contain 'ufw-$c-$suffix'" + exit 1 + } +@@ -283,7 +283,7 @@ for l in off on low medium high full; do + do_cmd "0" nostats enable + for c in logging-deny not-local user-forward user-input user-output skip-to-policy-input ; do + echo "$count: ! iptables -L ufw-$c -n | egrep -q '0 references'" >> $TESTTMP/result +- iptables -L ufw-$c -n | egrep -q '0 references' && { ++ iptables -L ufw-$c -n 2>/dev/null | egrep -q '0 references' && { + echo "'iptables -L ufw-user-input -n' had 0 references" + exit 1 + } +@@ -293,7 +293,7 @@ for l in off on low medium high full; do + done + for c in logging-allow user-limit user-limit-accept user-logging-forward user-logging-input user-logging-output skip-to-policy-output skip-to-policy-forward ; do + echo "$count: iptables -L ufw-$c -n | egrep -q '0 references'" >> $TESTTMP/result +- iptables -L ufw-$c -n | egrep -q '0 references' || { ++ iptables -L ufw-$c -n 2>/dev/null | egrep -q '0 references' || { + echo "'iptables -L ufw-user-input -n' had more than 0 references" + exit 1 + } +Index: ufw-0.36/tests/root/live_route/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/live_route/runtest.sh ++++ ufw-0.36/tests/root/live_route/runtest.sh +@@ -99,7 +99,7 @@ do + echo iptables -I FORWARD -j ACCEPT -m comment --comment $str >> $TESTTMP/result + iptables -I FORWARD -j ACCEPT -m comment --comment $str >> $TESTTMP/result + do_cmd "0" nostats enable +- iptables -n -L FORWARD | grep "$str" >> $TESTTMP/result ++ iptables -n -L FORWARD 2>/dev/null | grep "$str" >> $TESTTMP/result + iptables -D FORWARD -j ACCEPT -m comment --comment $str 2>/dev/null + done + +@@ -212,21 +212,21 @@ do_cmd "0" nostats disable + do_cmd "0" nostats route allow 23/tcp + do_cmd "0" nostats logging medium + do_cmd "0" null enable +-iptables-save | grep '^-' > $TESTTMP/ipt.enable +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.enable ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.enable ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.enable + + do_cmd "0" null disable +-iptables-save | grep '^-' > $TESTTMP/ipt.disable +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.disable ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.disable ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.disable + + sed -i 's/^ENABLED=no/ENABLED=yes/' $TESTPATH/etc/ufw/ufw.conf + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init start +-iptables-save | grep '^-' > $TESTTMP/ipt.start +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.start ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.start ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.start + + do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init stop +-iptables-save | grep '^-' > $TESTTMP/ipt.stop +-ip6tables-save | grep '^-' > $TESTTMP/ip6t.stop ++iptables-save 2>/dev/null | grep '^-' > $TESTTMP/ipt.stop ++ip6tables-save 2>/dev/null | grep '^-' > $TESTTMP/ip6t.stop + + diff $TESTTMP/ipt.enable $TESTTMP/ipt.start || { + echo "'ufw enable' and 'ufw-init start' are different" +Index: ufw-0.36/tests/root/live_apps/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/live_apps/runtest.sh ++++ ufw-0.36/tests/root/live_apps/runtest.sh +@@ -169,12 +169,12 @@ for ipv6 in no yes ; do + cat $TESTCONFIG/user.rules >> $TESTTMP/result + cat $TESTCONFIG/user6.rules >> $TESTTMP/result + +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.1 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.1 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.1 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.1 + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.2 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.2 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.2 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.2 + diff $TESTTMP/save.1 $TESTTMP/save.2 || { + echo "ip(6)tables-restore different for '$i'" + exit 1 +@@ -197,12 +197,12 @@ for ipv6 in no yes ; do + cat $TESTCONFIG/user.rules >> $TESTTMP/result + cat $TESTCONFIG/user6.rules >> $TESTTMP/result + +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.1 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.1 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.1 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.1 + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.2 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.2 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.2 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.2 + diff $TESTTMP/save.1 $TESTTMP/save.2 || { + echo "ip(6)tables-restore different for '$i'" + exit 1 +Index: ufw-0.36/tests/root/valid/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/valid/runtest.sh ++++ ufw-0.36/tests/root/valid/runtest.sh +@@ -30,22 +30,22 @@ echo "TESTING ARGS (default)" >> $TESTTM + do_cmd "0" enable + do_cmd "0" default allow + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" default deny + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" DEFAULT ALLOW + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" DEFAULT DENY + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + +Index: ufw-0.36/tests/root/valid6/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/valid6/runtest.sh ++++ ufw-0.36/tests/root/valid6/runtest.sh +@@ -35,41 +35,41 @@ do_cmd "0" enable + do_cmd "0" default allow + echo "ipv4:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + echo "ipv6:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- ip6tables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ ip6tables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" default deny + echo "ipv4:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + echo "ipv6:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- ip6tables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ ip6tables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" DEFAULT ALLOW + echo "ipv4:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + echo "ipv6:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- ip6tables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ ip6tables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + do_cmd "0" DEFAULT DENY + echo "ipv4:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- iptables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ iptables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + echo "ipv6:" >> $TESTTMP/result + for i in INPUT FORWARD OUTPUT ; do +- ip6tables -n -L $i | grep 'policy ' >> $TESTTMP/result ++ ip6tables -n -L $i 2>/dev/null | grep 'policy ' >> $TESTTMP/result + done + grep -h "DEFAULT" $TESTPATH/etc/default/ufw >> $TESTTMP/result + +Index: ufw-0.36/tests/root/logging/runtest.sh +=================================================================== +--- ufw-0.36.orig/tests/root/logging/runtest.sh ++++ ufw-0.36/tests/root/logging/runtest.sh +@@ -35,12 +35,12 @@ for i in allow deny limit reject ; do + cat $TESTCONFIG/user.rules >> $TESTTMP/result + cat $TESTCONFIG/user6.rules >> $TESTTMP/result + +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.1 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.1 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.1 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.1 + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- iptables-save | egrep -v '^(#|:)' > $TESTTMP/save.2 +- ip6tables-save | egrep -v '^(#|:)' >> $TESTTMP/save.2 ++ iptables-save 2>/dev/null | egrep -v '^(#|:)' > $TESTTMP/save.2 ++ ip6tables-save 2>/dev/null | egrep -v '^(#|:)' >> $TESTTMP/save.2 + diff $TESTTMP/save.1 $TESTTMP/save.2 || { + echo "ip(6)tables-restore different for '$i'" + exit 1 diff -Nru ufw-0.36/debian/patches/series ufw-0.36/debian/patches/series --- ufw-0.36/debian/patches/series 2020-02-29 19:59:33.000000000 +0000 +++ ufw-0.36/debian/patches/series 2020-04-02 12:05:30.000000000 +0000 @@ -6,3 +6,6 @@ 0006-bug921680.patch 0007-bug921680-pt2.patch 0008-fix-check-requirements-again.patch +0009-empty-non-functioning-ipt-modules.patch +0010-add-other-firewall-checks.patch +0011-suppress-legacy-warnings-in-tests.patch