Summary: | net-firewall/ufw-0.33* USE=-ipv6 - `ufw status' fails when it cannot find ip6tables and on kernels with disabled IPv6 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Karsten Renhak <karsten.renhak> |
Component: | Current packages | Assignee: | Sławomir Nizio <slawomir.nizio> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dawnstyle, pcmoore, proxy-maint, pva |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/ufw/+bug/1062521 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | version bump |
Description
Karsten Renhak
2012-10-05 08:43:12 UTC
I tried it on another system with a kernel without ipv6 support but iptables was build with ipv6 flag I got this error message: # ufw status Traceback (most recent call last): File "/usr/sbin/ufw-2.7", line 95, in <module> ui = ufw.frontend.UFWFrontend(pr.dryrun) File "/usr/lib64/python2.7/site-packages/ufw/frontend.py", line 153, in __init__ self.backend = UFWBackendIptables(dryrun) File "/usr/lib64/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__ ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files) File "/usr/lib64/python2.7/site-packages/ufw/backend.py", line 88, in __init__ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables) File "/usr/lib64/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities raise OSError(errno.ENOENT, out) OSError: [Errno 2] FATAL: Module ip6_tables not found. ip6tables v1.4.13: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. So this Message differ only in the last three lines from the original one. But that means ether the ufw ebuild has to check kernel ipv6 support and iptables ipv6 use flag or the ufw python code skip the ip6tables calls. It properly RDEPENDs on >=net-firewall/iptables-1.4[ipv6?] Thanks for reporting! Recent changes in UFW have caused this unexpectedly. This is very similar to https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1044361 and indeed, patches introduced there *seem* to make ufw work with net-firewall/iptables[-ipv6] (ie rules take effect), despite the fact it calls error() and exists. # ufw enable ERROR: initcaps [Errno 2] [Errno 2] No such file or directory This looks like a special case of the issue from that upstream bug and needs to be handled correctly. I will notify upstream about this shortly. The older version that is still in Portage, 0.31.1 doesn't have this problem. - Bug filed upstream. - Soon 0.33-r1 will be committed, but that's unrelated to this bug. (It will contain a patch to avoid a warning from iptables 1.4.16.2 about 'state' module being deprecated.) - Due to this bug some people may want to use the older Ufw, so 0.31.1-r1 with the fix above will be available too. (I'm a "proxied" maintainer btw.) While there's no clean fix, forcing ipv6 on iptables and checking if enabled in the kernel is the way to go, as you suggest. Question is if ipv6 USE flag should be kept. Now it would only set default configuration in the configuration file. I think it is quite convenient, but on the other hand it would be somewhat artificial and misleading. By the way, here's an URL that tracks the "kernel without IPv6 support -> failure" problem: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1039729 and the bug about failure with iptables[-ipv6] in URL field. -r2 which checks for IPv6 is in Portage (thanks Ian for committing). Also -r2 for both currently present versions install check-requirements script because (although by design it requires IPv6 enabled), it can be useful for debugging problems. One more thing, this bug is now fixed in upstream's VCS. :) It looks good so I'm going to make an update in the upcoming days. CCing proxy maintainers for speeding up resolving of this Created attachment 332550 [details, diff]
version bump
Explanation: I need new proxy (committer), so if there's anyone who wants, please contact me.
In the meantime I'm attaching a patch that fixes it properly.
(In reply to comment #8) > Created attachment 332550 [details, diff] [details, diff] > version bump > > Explanation: I need new proxy (committer), so if there's anyone who wants, > please contact me. > In the meantime I'm attaching a patch that fixes it properly. ok someone of us will do it ;) (In reply to comment #8) > Created attachment 332550 [details, diff] [details, diff] > version bump > > Explanation: I need new proxy (committer), so if there's anyone who wants, > please contact me. > In the meantime I'm attaching a patch that fixes it properly. What would the ebuild filename be? Is it a revbump ? If it is a version bump like you claim, what is the version number. Hmm sorry I see what's going on here +*ufw-0.34_pre805 (17 Dec 2012) + + 17 Dec 2012; Markos Chandras <hwoarang@gentoo.org> +ufw-0.34_pre805.ebuild, + metadata.xml: + Version bump. Fixes bug #437266. Thanks to slawomir.nizio@sabayon.org + Thanks, Markos. |