ufw: init script does not depend on nftables

Roger Lynn Tue, 06 Apr 2021 15:42:39 -0700

Package: ufw
Version: 0.36-7.1
Severity: important
File: /etc/init.d/ufw
Justification: renders package unusable
X-Debbugs-Cc: ro...@rilynn.me.uk


Hi,

ufw apparently depends on nftables but the init script does not declare it.
This results in errors from ip-tables-restore when ufw starts:

Starting firewall: ufw...
iptables-restore v1.8.7 (nf_tables):
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-logging-input
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-logging-output
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-logging-forward
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-input
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-output
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-before-forward
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-after-input
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-after-output
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-after-forward
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-after-logging-input
line 42: CHAIN_USER_ADD failed (No such file or directory): chain 
ufw-after-logging-output
line 42: RULE_APPEND faied (No such file or directory): rule in
iptables-restore: line 3 failed
iptables-restore: line 3 failed
iptables-restore: line 4 failed
failed.
startpar: service(s) returned failre:ufw ... failed!


Adding "nftables" to the Required-Start: and Required-Stop: lines in 
/etc/init.d/ufw resolves the problem:

# Required-Start:    $local_fs nftables
# Required-Stop:     $local_fs nftables


Thanks,

Roger




-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages ufw depends on:
ii  debconf [debconf-2.0]  1.5.75
ii  iptables               1.8.7-1
ii  lsb-base               11.1.0
ii  python3                3.9.2-2
ii  ucf                    3.0043

ufw recommends no packages.

Versions of packages ufw suggests:
ii  rsyslog  8.2102.0-2

-- Configuration Files:
/etc/default/ufw changed:
IPV6=yes
DEFAULT_INPUT_POLICY="REJECT"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="REJECT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=
IPT_MODULES=""

/etc/init.d/ufw changed:
set -e
PATH="/sbin:/bin"
[ -d /lib/ufw ] || exit 0
. /lib/lsb/init-functions
for s in "/lib/ufw/ufw-init-functions" "/etc/ufw/ufw.conf" "/etc/default/ufw" ; 
do
    if [ -s "$s" ]; then
        . "$s"
    else
        log_failure_msg "Could not find $s (aborting)"
        exit 1
    fi
done
error=0
case "$1" in
start)
    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
        log_action_begin_msg "Starting firewall:" "ufw"
        output=`ufw_start` || error="$?"
        if [ "$error" = "0" ]; then
            log_action_cont_msg "Setting kernel variables ($IPT_SYSCTL)"
        fi
        if [ ! -z "$output" ]; then
            echo "$output" | while read line ; do
                log_action_cont_msg "$line"
            done
        fi
    else
        log_action_begin_msg "Skip starting firewall:" "ufw (not enabled)"
    fi
    log_action_end_msg $error
    exit $error
    ;;
stop)
    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
        log_action_begin_msg "Stopping firewall:" "ufw"
        output=`ufw_stop` || error="$?"
        if [ ! -z "$output" ]; then
            log_action_cont_msg "$output"
        fi
    else
        log_action_begin_msg "Skip stopping firewall:" "ufw (not enabled)"
    fi
    log_action_end_msg $error
    exit $error
    ;;
restart|force-reload)
    log_action_begin_msg "Reloading firewall:" "ufw"
    output=`ufw_reload` || error="$?"
    if [ ! -z "$output" ]; then
        log_action_cont_msg "$output"
    fi
    log_action_end_msg $error
    exit $error
    ;;
status)
    output=`ufw_status` || error="$?"
    if [ ! -z "$output" ]; then
        log_action_cont_msg "$output"
    fi
    log_action_end_msg $error
    exit $error
    ;;
*)
    echo "Usage: /etc/init.d/ufw {start|stop|restart|force-reload|status}"
    exit 1
    ;;
esac
exit 0


-- debconf information:
* ufw/enable: true
* ufw/allow_known_ports: SSH
  ufw/allow_custom_ports:
* ufw/existing_configuration:

Bug#986493: /etc/init.d/ufw: init script does not depend on nftables

Reply via email to