net-firewall/ufw-0.33 crashes on a system with ipv6 use flag global disabled. here is the output from ufw status: # ufw status Traceback (most recent call last): File "/usr/sbin/ufw-2.7", line 95, in <module> ui = ufw.frontend.UFWFrontend(pr.dryrun) File "/usr/lib64/python2.7/site-packages/ufw/frontend.py", line 153, in __init__ self.backend = UFWBackendIptables(dryrun) File "/usr/lib64/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__ ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files) File "/usr/lib64/python2.7/site-packages/ufw/backend.py", line 88, in __init__ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables) File "/usr/lib64/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities raise OSError(errno.ENOENT, out) OSError: [Errno 2] [Errno 2] No such file or directory As far as I can see, ufw is trying to call ip6tables, but iptables was build without ipv6 support. After building iptables with ipv6 use flag, ufw is running fine. Reproducible: Always Steps to Reproduce: 1.build iptables without ipv6 support 2.call ufw status Actual Results: The python error message appear and ufw terminates. Expected Results: ufw should run fine even without iptables ipv6 use flag or the ebuild should depend on iptables with ipv6 use flag. # emerge --info Portage 2.1.11.9 (hardened/linux/amd64, gcc-4.5.4, glibc-2.15-r2, 3.5.4-hardened-r1 x86_64) ================================================================= System uname: Linux-3.5.4-hardened-r1-x86_64-Intel_Core_i7_9xx_-Nehalem_Class_Core_i7-with-gentoo-2.1 Timestamp of tree: Fri, 05 Oct 2012 07:15:01 +0000 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://ftp.tu-ilmenau.de/mirror/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.heanet.ie/pub/gentoo/" LANG="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="acl acpi amd64 bash-completion berkdb bzip2 caps cli cracklib crypt ctype cups cxx dri fam gdbm gpm hardened iconv icu idn iproute2 justify logrotate lzma mmx mmxext modules mudflap multilib ncurses nls nptl openmp pam pax_kernel pcre pppd readline session skey spell sse sse2 sse3 sse4 sse4a ssl ssse3 tcpd threads unicode urandom usb vim-syntax xattr zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON I used net-firewall/iptables-1.4.13 with USE="-ipv6 -netlink -static-libs" to reproduce the bug.
I tried it on another system with a kernel without ipv6 support but iptables was build with ipv6 flag I got this error message: # ufw status Traceback (most recent call last): File "/usr/sbin/ufw-2.7", line 95, in <module> ui = ufw.frontend.UFWFrontend(pr.dryrun) File "/usr/lib64/python2.7/site-packages/ufw/frontend.py", line 153, in __init__ self.backend = UFWBackendIptables(dryrun) File "/usr/lib64/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__ ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files) File "/usr/lib64/python2.7/site-packages/ufw/backend.py", line 88, in __init__ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables) File "/usr/lib64/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities raise OSError(errno.ENOENT, out) OSError: [Errno 2] FATAL: Module ip6_tables not found. ip6tables v1.4.13: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. So this Message differ only in the last three lines from the original one. But that means ether the ufw ebuild has to check kernel ipv6 support and iptables ipv6 use flag or the ufw python code skip the ip6tables calls.
It properly RDEPENDs on >=net-firewall/iptables-1.4[ipv6?]
Thanks for reporting! Recent changes in UFW have caused this unexpectedly. This is very similar to https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1044361 and indeed, patches introduced there *seem* to make ufw work with net-firewall/iptables[-ipv6] (ie rules take effect), despite the fact it calls error() and exists. # ufw enable ERROR: initcaps [Errno 2] [Errno 2] No such file or directory This looks like a special case of the issue from that upstream bug and needs to be handled correctly. I will notify upstream about this shortly. The older version that is still in Portage, 0.31.1 doesn't have this problem.
- Bug filed upstream. - Soon 0.33-r1 will be committed, but that's unrelated to this bug. (It will contain a patch to avoid a warning from iptables 1.4.16.2 about 'state' module being deprecated.) - Due to this bug some people may want to use the older Ufw, so 0.31.1-r1 with the fix above will be available too. (I'm a "proxied" maintainer btw.)
While there's no clean fix, forcing ipv6 on iptables and checking if enabled in the kernel is the way to go, as you suggest. Question is if ipv6 USE flag should be kept. Now it would only set default configuration in the configuration file. I think it is quite convenient, but on the other hand it would be somewhat artificial and misleading. By the way, here's an URL that tracks the "kernel without IPv6 support -> failure" problem: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1039729 and the bug about failure with iptables[-ipv6] in URL field.
-r2 which checks for IPv6 is in Portage (thanks Ian for committing). Also -r2 for both currently present versions install check-requirements script because (although by design it requires IPv6 enabled), it can be useful for debugging problems. One more thing, this bug is now fixed in upstream's VCS. :) It looks good so I'm going to make an update in the upcoming days.
CCing proxy maintainers for speeding up resolving of this
Created attachment 332550 [details, diff] version bump Explanation: I need new proxy (committer), so if there's anyone who wants, please contact me. In the meantime I'm attaching a patch that fixes it properly.
(In reply to comment #8) > Created attachment 332550 [details, diff] [details, diff] > version bump > > Explanation: I need new proxy (committer), so if there's anyone who wants, > please contact me. > In the meantime I'm attaching a patch that fixes it properly. ok someone of us will do it ;)
(In reply to comment #8) > Created attachment 332550 [details, diff] [details, diff] > version bump > > Explanation: I need new proxy (committer), so if there's anyone who wants, > please contact me. > In the meantime I'm attaching a patch that fixes it properly. What would the ebuild filename be? Is it a revbump ? If it is a version bump like you claim, what is the version number.
Hmm sorry I see what's going on here
+*ufw-0.34_pre805 (17 Dec 2012) + + 17 Dec 2012; Markos Chandras <hwoarang@gentoo.org> +ufw-0.34_pre805.ebuild, + metadata.xml: + Version bump. Fixes bug #437266. Thanks to slawomir.nizio@sabayon.org +
Thanks, Markos.
