Lines 1-201
Link Here
|
1 |
use conntrack instead of state |
|
|
2 |
https://bugs.launchpad.net/ufw/+bug/1065297 |
3 |
|
4 |
This is a version for ufw 0.31.1. |
5 |
diff --git a/conf/before.rules b/conf/before.rules |
6 |
index bc11f36..9917b87 100644 |
7 |
--- a/conf/before.rules |
8 |
+++ b/conf/before.rules |
9 |
@@ -22,12 +22,12 @@ |
10 |
-A ufw-before-output -o lo -j ACCEPT |
11 |
|
12 |
# quickly process packets for which we already have a connection |
13 |
--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT |
14 |
--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT |
15 |
+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
16 |
+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
17 |
|
18 |
# drop INVALID packets (logs these in loglevel medium and higher) |
19 |
--A ufw-before-input -m state --state INVALID -j ufw-logging-deny |
20 |
--A ufw-before-input -m state --state INVALID -j DROP |
21 |
+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny |
22 |
+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP |
23 |
|
24 |
# ok icmp codes |
25 |
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT |
26 |
diff --git a/conf/before6.rules b/conf/before6.rules |
27 |
index fb1a8f1..8b7e4ff 100644 |
28 |
--- a/conf/before6.rules |
29 |
+++ b/conf/before6.rules |
30 |
@@ -34,16 +34,16 @@ |
31 |
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
32 |
|
33 |
# quickly process packets for which we already have a connection |
34 |
--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT |
35 |
--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT |
36 |
+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
37 |
+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
38 |
|
39 |
# for multicast ping replies from link-local addresses (these don't have an |
40 |
# associated connection and would otherwise be marked INVALID) |
41 |
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT |
42 |
|
43 |
# drop INVALID packets (logs these in loglevel medium and higher) |
44 |
--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny |
45 |
--A ufw6-before-input -m state --state INVALID -j DROP |
46 |
+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny |
47 |
+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP |
48 |
|
49 |
# ok icmp codes |
50 |
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT |
51 |
diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 |
52 |
index d9e3d5a..bfc83e2 100644 |
53 |
--- a/doc/ufw-framework.8 |
54 |
+++ b/doc/ufw-framework.8 |
55 |
@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: |
56 |
net.ipv4.ip_forward=1 |
57 |
.TP |
58 |
Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: |
59 |
- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ |
60 |
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\ |
61 |
\-j ACCEPT |
62 |
- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ |
63 |
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ |
64 |
\-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT |
65 |
.TP |
66 |
Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section: |
67 |
@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: |
68 |
net.ipv4.ip_forward=1 |
69 |
.TP |
70 |
Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: |
71 |
- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ |
72 |
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate RELATED,ESTABLISHED \\ |
73 |
\-j ACCEPT |
74 |
|
75 |
- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\ |
76 |
- \-\-state NEW \-j ACCEPT |
77 |
+ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m conntrack \\ |
78 |
+ \-\-ctstate NEW \-j ACCEPT |
79 |
|
80 |
- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ |
81 |
+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ |
82 |
\-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT |
83 |
|
84 |
\-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT |
85 |
diff --git a/src/backend_iptables.py b/src/backend_iptables.py |
86 |
index 340beba..4459a3b 100644 |
87 |
--- a/src/backend_iptables.py |
88 |
+++ b/src/backend_iptables.py |
89 |
@@ -551,7 +551,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): |
90 |
lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \ |
91 |
policy) |
92 |
if not pat_logall.search(s): |
93 |
- lstr = '-m state --state NEW ' + lstr |
94 |
+ lstr = '-m conntrack --ctstate NEW ' + lstr |
95 |
snippets[i] = pat_log.sub(r'\1-j \2\4', s) |
96 |
snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \ |
97 |
'-user-logging-' + suffix, s)) |
98 |
@@ -567,9 +567,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend): |
99 |
pat_limit = re.compile(r' -j LIMIT') |
100 |
for i, s in enumerate(snippets): |
101 |
if pat_limit.search(s): |
102 |
- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \ |
103 |
+ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \ |
104 |
s) |
105 |
- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \ |
106 |
+ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \ |
107 |
' --update --seconds 30 --hitcount 6' + \ |
108 |
' -j ' + prefix + '-user-limit', s) |
109 |
tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s) |
110 |
@@ -1178,12 +1178,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend): |
111 |
prefix = "[UFW BLOCK] " |
112 |
if self.loglevels[level] < self.loglevels["medium"]: |
113 |
# only log INVALID in medium and higher |
114 |
- rules_t.append([c, ['-I', c, '-m', 'state', \ |
115 |
- '--state', 'INVALID', \ |
116 |
+ rules_t.append([c, ['-I', c, '-m', 'conntrack', \ |
117 |
+ '--ctstate', 'INVALID', \ |
118 |
'-j', 'RETURN'] + largs, '']) |
119 |
else: |
120 |
- rules_t.append([c, ['-A', c, '-m', 'state', \ |
121 |
- '--state', 'INVALID', \ |
122 |
+ rules_t.append([c, ['-A', c, '-m', 'conntrack', \ |
123 |
+ '--ctstate', 'INVALID', \ |
124 |
'-j', 'LOG', \ |
125 |
'--log-prefix', \ |
126 |
"[UFW AUDIT INVALID] "] + \ |
127 |
@@ -1202,7 +1202,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): |
128 |
|
129 |
# loglevel medium logs all new packets with limit |
130 |
if self.loglevels[level] < self.loglevels["high"]: |
131 |
- largs = ['-m', 'state', '--state', 'NEW'] + limit_args |
132 |
+ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args |
133 |
|
134 |
prefix = "[UFW AUDIT] " |
135 |
for c in self.chains['before']: |
136 |
diff --git a/src/ufw-init-functions b/src/ufw-init-functions |
137 |
index f4783e7..c5e0319 100755 |
138 |
--- a/src/ufw-init-functions |
139 |
+++ b/src/ufw-init-functions |
140 |
@@ -251,15 +251,15 @@ ufw_start() { |
141 |
# add tracking policy |
142 |
if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then |
143 |
printf "*filter\n"\ |
144 |
-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\ |
145 |
-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\ |
146 |
+"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ |
147 |
+"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ |
148 |
"COMMIT\n" | $exe-restore -n || error="yes" |
149 |
fi |
150 |
|
151 |
if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then |
152 |
printf "*filter\n"\ |
153 |
-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\ |
154 |
-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\ |
155 |
+"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ |
156 |
+"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ |
157 |
"COMMIT\n" | $exe-restore -n || error="yes" |
158 |
fi |
159 |
|
160 |
diff --git a/tests/check-requirements b/tests/check-requirements |
161 |
index dbb26ec..d3ad1f8 100755 |
162 |
--- a/tests/check-requirements |
163 |
+++ b/tests/check-requirements |
164 |
@@ -152,32 +152,32 @@ for i in "" 6; do |
165 |
done |
166 |
|
167 |
echo -n "hashlimit: " |
168 |
- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT |
169 |
+ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT |
170 |
|
171 |
echo -n "limit: " |
172 |
runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT |
173 |
|
174 |
for j in NEW RELATED ESTABLISHED INVALID; do |
175 |
echo -n "state ($j): " |
176 |
- runcmd $exe -A $c -m state --state $j |
177 |
+ runcmd $exe -A $c -m conntrack --ctstate $j |
178 |
done |
179 |
|
180 |
echo -n "state (new, recent set): " |
181 |
if [ "$i" = "6" ]; then |
182 |
echo "skipped -- IPv6 'limit' not supported by ufw yet" |
183 |
else |
184 |
- runcmd $exe -A $c -m state --state NEW -m recent --set |
185 |
+ runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --set |
186 |
fi |
187 |
|
188 |
echo -n "state (new, recent update): " |
189 |
if [ "$i" = "6" ]; then |
190 |
echo "skipped -- IPv6 'limit' not supported by ufw yet" |
191 |
else |
192 |
- runcmd $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT |
193 |
+ runcmd $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT |
194 |
fi |
195 |
|
196 |
echo -n "state (new, limit): " |
197 |
- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT |
198 |
+ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT |
199 |
|
200 |
echo -n "interface (input): " |
201 |
runcmd $exe -A $c -i eth0 -j ACCEPT |