Bug#1035497: ufw: Deny forwarding but still forward ping requests
Package: ufw
Version: 0.36-7.1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where
appropriate ***
Hello,
I use my server as a kind of VPN server, but I only want my client to
use a specific IP address. So I used the following rules: ```
ufw route deny out on client09 from any to any comment 'vpn client09'
ufw route deny in on client09 from any to any comment 'vpn client09'
ufw route prepend allow in on client09 from 172.22.149.116 comment 'vpn
client09' ufw route prepend allow in on client09 from
fd04:234e:fc31:e::9 comment 'vpn client09' ```
However, I can send ping requests without 'ufw route prepend allow' and
get a response, whereas the rule clearly says Deny. Apparently ping
requests are always allowed through.
As a workaround I can add the following manually:
```
-A ufw-before-forward -i client09 -p icmp -s 172.22.149.116 -j ACCEPT
-A ufw-before-forward -i client09 -p icmp -j DROP
-A ufw6-before-forward -i client09 -p ipv6-icmp -s fd92:58b6:2b2:e::9
-j ACCEPT -A ufw6-before-forward -i client09 -p ipv6-icmp -j DROP
```
I have set `DEFAULT_FORWARD_POLICY="ACCEPT"`.
However, I think (and hope) that this behavior is not intentional.
Hence this bug report. If I forbid a forwarding it has a good reason
and then I also want this to be forbidden.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable') Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-22-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot
set LC_ALL to default locale: No such file or directory UTF-8),
LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ufw depends on:
ii debconf [debconf-2.0] 1.5.77
ii iptables 1.8.7-1
ii lsb-base 11.1.0
ii python33.9.2-3
ii ucf3.0043
ufw recommends no packages.
Versions of packages ufw suggests:
ii rsyslog 8.2102.0-2+deb11u1
-- debconf information excluded
-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_TIME = "de_DE.UTF-8",
LC_MONETARY = "de_DE.UTF-8",
LC_ADDRESS = "de_DE.UTF-8",
LC_TELEPHONE = "de_DE.UTF-8",
LC_NAME = "de_DE.UTF-8",
LC_MEASUREMENT = "de_DE.UTF-8",
LC_IDENTIFICATION = "de_DE.UTF-8",
LC_NUMERIC = "de_DE.UTF-8",
LC_PAPER = "de_DE.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
pgpwQxmw08GBe.pgp
Description: OpenPGP digital signature
Bug#1034568: binascii.Error: Odd-length string when asking the status
Package: ufw
Version: 0.36-7.1
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where
appropriate ***
* What led up to the situation?
Adding a few rules:
ufw route allow in on {{ item }} from fd00::/8 to fd00::/8 comment
'dnet' ufw route allow in on {{ item }} from 172.20.0.0/14 to
172.20.0.0/14 comment 'dnet' ufw route allow in on {{ item }} from
10.0.0.0/8 to 10.0.0.0/8 comment 'dnet' ufw route allow in on {{
item }} from 10.0.0.0/8 to 172.20.0.0/14 comment 'dnet' ufw route
allow in on {{ item }} from 172.20.0.0/14 to 10.0.0.0/8 comment
'dnet' ufw route allow in on {{ item }} from
2001:db8:dead:beef::/64 to 2001:db8:dead:beef::/64 comment 'dnet'
ufw route allow in on {{ item }} from 172.24.0.0/16 to
172.24.0.0/16 comment 'dnet'
and then ufw status
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
Traceback (most recent call last):
File "/usr/sbin/ufw", line 147, in
res = ui.do_action(pr.action, "", "", pr.force)
File "/usr/lib/python3/dist-packages/ufw/frontend.py", line 652, in
do_action res = self.get_status()
File "/usr/lib/python3/dist-packages/ufw/frontend.py", line 261, in
get_status out = self.backend.get_status(verbose, show_count)
File "/usr/lib/python3/dist-packages/ufw/backend_iptables.py", line
419, in get_status comment_str = " # %s" % r.get_comment()
File "/usr/lib/python3/dist-packages/ufw/common.py", line 372, in
get_comment return ufw.util.hex_decode(self.comment)
File "/usr/lib/python3/dist-packages/ufw/util.py", line 1104, in
hex_decode return binascii.unhexlify(h).decode('utf-8')
binascii.Error: Odd-length string
* What outcome did you expect instead?
the normal ufw status
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable') Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot
set LC_ALL to default locale: No such file or directory UTF-8),
LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ufw depends on:
ii debconf [debconf-2.0] 1.5.77
ii iptables 1.8.7-1
ii lsb-base 11.1.0
ii python33.9.2-3
ii ucf3.0043
ufw recommends no packages.
Versions of packages ufw suggests:
ii rsyslog 8.2102.0-2+deb11u1
-- Configuration Files:
/etc/default/ufw changed:
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES=""
-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_TIME = "de_DE.UTF-8",
LC_MONETARY = "de_DE.UTF-8",
LC_ADDRESS = "de_DE.UTF-8",
LC_TELEPHONE = "de_DE.UTF-8",
LC_NAME = "de_DE.UTF-8",
LC_MEASUREMENT = "de_DE.UTF-8",
LC_IDENTIFICATION = "de_DE.UTF-8",
LC_NUMERIC = "de_DE.UTF-8",
LC_PAPER = "de_DE.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory
ufw/existing_configuration:
ufw/allow_known_ports:
ufw/allow_custom_ports:
ufw/enable: false
-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_TIME = "de_DE.UTF-8",
LC_MONETARY = "de_DE.UTF-8",
LC_ADDRESS = "de_DE.UTF-8",
LC_TELEPHONE = "de_DE.UTF-8",
LC_NAME = "de_DE.UTF-8",
LC_MEASUREMENT = "de_DE.UTF-8",
LC_IDENTIFICATION = "de_DE.UTF-8",
LC_NUMERIC = "de_DE.UTF-8",
LC_PAPER = "de_DE.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
--
Marek Küthe
m...@mk16.de
er/ihm he/him
Bug#1031391: /lib/modules/6.0.0-12parrot1-amd64/kernel/drivers/net/wireless/ath/ath10k/ath10k_core.ko: Firmware crashed
Package: src:linux
Version: 6.0.12-1parrot1
Severity: important
File:
/lib/modules/6.0.0-12parrot1-amd64/kernel/drivers/net/wireless/ath/ath10k/ath10k_core.ko
X-Debbugs-Cc: m...@mk16.de
Dear Maintainer,
* What led up to the situation?
I have no idea how this situation comes about.
* What exactly did you do (or not do) that was effective (or
ineffective)
* What was the outcome of this action?
* What outcome did you expect instead?
The firmware crashes (judging by the log). After that, the computer becomes
enormously slow, the mouse does not move for a few seconds. After that it works
again. After that, Network Manager says "disconnect". When I restart the
Network Manager, "Device not available" appears.
-- Package-specific info:
** Version:
Linux version 6.0.0-12parrot1-amd64 (t...@parrotsec.org) (gcc-10 (Debian
10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Parrot) 2.37.90.20220130)
#1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1parrot1 (2023-01-12)
** Command line:
BOOT_IMAGE=/@/boot/vmlinuz-6.0.0-12parrot1-amd64
root=UUID=4c28bef4-77fd-4464-9cd5-5b0bcc104742 ro rootflags=subvol=@ quiet
cryptdevice=UUID=fed0c2db-58a8-4f7b-9ba2-9321b4f7a550:luks-fed0c2db-58a8-4f7b-9ba2-9321b4f7a550
root=/dev/mapper/luks-fed0c2db-58a8-4f7b-9ba2-9321b4f7a550 splash
resume=/dev/mapper/luks-5090abc4-1254-4f9f-8ae8-2f7e0cd2bd55
** Tainted: PWO (4609)
* proprietary module was loaded
* kernel issued warning
* externally-built ("out-of-tree") module was loaded
** Kernel log:
[ 895.441930] ath10k_pci :01:00.0: failed to reset chip: -5
[ 895.441940] ath10k_pci :01:00.0: Could not init hif: -5
[ 895.441940] ath10k_pci :01:00.0: firmware crashed! (guid
da96e584-b343-413c-a3be-00ae27231f2f)
[ 895.441946] ath10k_pci :01:00.0: qca9377 hw1.1 target 0x05020001 chip_id
0x003821ff sub 1a3b:2b31
[ 895.441949] ath10k_pci :01:00.0: kconfig debug 0 debugfs 0 tracing 0 dfs
0 testmode 0
[ 895.442664] ath10k_pci :01:00.0: firmware ver
WLAN.TF.2.1-00021-QCARMSWP-1 api 6 features wowlan,ignore-otp crc32 42e41877
[ 895.442851] ath10k_pci :01:00.0: board_file api 2 bmi_id N/A crc32
8aedfa4a
[ 895.442853] ath10k_pci :01:00.0: htt-ver 3.56 wmi-op 4 htt-op 3 cal otp
max-sta 32 raw 0 hwcrypto 1
[ 895.474592] ath10k_pci :01:00.0: failed to read firmware dump area: -28
[ 895.474599] ath10k_pci :01:00.0: Copy Engine register dump:
[ 895.601329] ath10k_pci :01:00.0: [00]: 0x00034400 4294967295 4294967295
4294967295 4294967295
[ 895.728000] ath10k_pci :01:00.0: [01]: 0x00034800 4294967295 4294967295
4294967295 4294967295
[ 895.854730] ath10k_pci :01:00.0: [02]: 0x00034c00 4294967295 4294967295
4294967295 4294967295
[ 895.981435] ath10k_pci :01:00.0: [03]: 0x00035000 4294967295 4294967295
4294967295 4294967295
[ 896.108078] ath10k_pci :01:00.0: [04]: 0x00035400 4294967295 4294967295
4294967295 4294967295
[ 896.234725] ath10k_pci :01:00.0: [05]: 0x00035800 4294967295 4294967295
4294967295 4294967295
[ 896.361394] ath10k_pci :01:00.0: [06]: 0x00035c00 4294967295 4294967295
4294967295 4294967295
[ 896.488048] ath10k_pci :01:00.0: [07]: 0x00036000 4294967295 4294967295
4294967295 4294967295
[ 910.494699] [UFW BLOCK] IN=wlx2887ba0f2920 OUT= MAC=
SRC=fe80::::59fb:2dac:f719:7c09
DST=ff12:::::::8384 LEN=576 TC=0 HOPLIMIT=1
FLOWLBL=966803 PROTO=UDP SPT=43702 DPT=21027 LEN=536
[ 940.491215] [UFW BLOCK] IN=wlx2887ba0f2920 OUT= MAC=
SRC=fe80::::59fb:2dac:f719:7c09
DST=ff12:::::::8384 LEN=576 TC=0 HOPLIMIT=1
FLOWLBL=966803 PROTO=UDP SPT=43702 DPT=21027 LEN=536
[ 967.901908] pcieport :00:1c.0: AER: Multiple Corrected error received:
:00:1c.0
[ 967.927294] pcieport :00:1c.0: PCIe Bus Error: severity=Corrected,
type=Physical Layer, (Receiver ID)
[ 967.927302] pcieport :00:1c.0: device [8086:4db8] error
status/mask=0001/2000
[ 967.927309] pcieport :00:1c.0:[ 0] RxErr (First)
[ 967.927339] pcieport :00:1c.0: AER: Multiple Corrected error received:
:00:1c.0
[ 967.927363] pcieport :00:1c.0: AER: can't find device of ID00e0
[ 970.497436] [UFW BLOCK] IN=wlx2887ba0f2920 OUT= MAC=
SRC=fe80::::59fb:2dac:f719:7c09
DST=ff12:::::::8384 LEN=576 TC=0 HOPLIMIT=1
FLOWLBL=966803 PROTO=UDP SPT=43702 DPT=21027 LEN=536
[ 973.646684] pcieport :00:1c.0: AER: Multiple Corrected error received:
:00:1c.0
[ 973.671917] pcieport :00:1c.0: PCIe Bus Error: severity=Corrected,
type=Physical Layer, (Receiver ID)
[ 973.671926] pcieport :00:1c.0: device [8086:4db8] error
status/mask=0001/2000
[ 973.671933] pcieport :00:1c.0:[ 0] RxErr (First)
[ 999.073652] perf: interrupt took too long (2542 > 2500), lowering
kernel.perf_event_max_sample_rate to 78600
[ 1000.492301] [UFW BLOCK] IN=wlx2887ba0f2920 OUT= MAC=
SRC=fe80:::
