-
Committer:
Jamie Strandboge
-
Date:
2021-09-19 00:37:44 UTC
-
Revision ID:
git-v1:f957f0305616e853e33554ab9b8fc8682e971bb4
src/backend_iptables.py: unconditionally reload with delete. LP: #1933117
ufw delete can confuse protocol-specific rule with otherwise matching
'proto any' rule. Consider:
# ufw allow from 1.1.1.1 port 2222 proto tcp # rule 1
# ufw allow from 2.2.2.2 port 3333 proto tcp # rule 2
# ufw allow from 1.1.1.1 port 2222 # rule 3
In this case the loaded firewall will have:
# iptables -L ufw-user-input -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
ACCEPT udp -- 1.1.1.1 0.0.0.0/0 udp spt:2222
If we delete the 3rd rule:
# ufw delete 3
Deleting:
allow from 1.1.1.1 port 2222
Proceed with operation (y|n)? y
Rule deleted
then ufw updates the running firewall with 'iptables -D', such that the
loaded firewall is out of order and ends up having:
# iptables -L ufw-user-input -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
Instead of using 'iptables -D' to delete the rule from the running
firewall, instead reload the user chains so we get the proper rule order
in the running firewall:
# iptables -L ufw-user-input -n
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 1.1.1.1 0.0.0.0/0 tcp spt:2222
ACCEPT tcp -- 2.2.2.2 0.0.0.0/0 tcp spt:3333
TODO: we only need to reload on delete when there are overlapping
proto-specific and 'proto any' rules, so a future optimization could
check for this and go back to using 'iptables -D' when there are no
overlaps.