Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"
On Thu, 01 Nov 2018, Karlheinz Geyer wrote: > Hi Jamie, > thx vm for ur reply... > > Jamie Strandboge [01.11.2018 13.34.36 -0500]: > > > What is the output of: > > > > $ sudo /usr/share/ufw/check-requirements > > # /usr/share/ufw/check-requirements > Has python: pass (binary: python2.7, version: 2.7.15+, py2) > Has iptables: pass > Has ip6tables: pass > > Has /proc/net/dev: pass > Has /proc/net/if_inet6: pass > > This script will now attempt to create various rules using the iptables > and ip6tables commands. This may result in module autoloading (eg, for > IPv6). > Proceed with checks (Y/n)? ... > == IPv6 == > Creating 'ufw-check-requirements6'... done > Inserting RETURN at top of 'ufw-check-requirements6'... done ... > icmpv6 (destination-unreachable): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (packet-too-big): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (time-exceeded): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (parameter-problem): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 (echo-request): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (neighbor-solicitation): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (neighbor-advertisement): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (router-solicitation): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > icmpv6 with hl (router-advertisement): FAIL > error was: ip6tables v1.8.1 (nf_tables): unknown option "--icmpv6-type" > Try `ip6tables -h' or 'ip6tables --help' for more information. > ipv6 rt: pass > It looks like your kernel doesn't support these options and you may want to upgrade your kernel and/or update its config. Please note that the recent upgrade to iptables 1.8.1 in sid caused a regression in ufw: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911986#35 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912610 -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"
What is the output of: $ sudo /usr/share/ufw/check-requirements -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#912595: ufw fails to start with option IPV6=yes in /etc/default/ufw ERROR: unknown option "--icmpv6-type"
Package: ufw Version: 0.35-6 Severity: grave Tags: security a11y Justification: user security hole Dear Maintainer, 1.) Surprisingly ENABLED is set to ENABLED=no in /etc/ufw/ufw.conf after upgrade. 2.) Setting option "IPV6=yes" in /etc/default/ufw produces an error: root@mysystem # ufw enable ERROR: problem running ufw-init ip6tables-restore v1.8.1 (nf_tables): unknown option "--icmpv6-type" Error occurred at line: 38 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Problem: -> /etc/ufw/before6.rules Setting "IPV6=no" leads to normal operation (without IPV6 support of course) root@mysystem # systemctl status ufw.service ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2018-11-01 17:31:18 CET; 7min ago Docs: man:ufw(8) Process: 7103 ExecStop=/lib/ufw/ufw-init stop (code=exited, status=0/SUCCESS) Process: 7822 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS) Main PID: 7822 (code=exited, status=0/SUCCESS) Nov 01 17:31:18 mysystem systemd[1]: Starting Uncomplicated firewall... Nov 01 17:31:18 mysystem systemd[1]: Started Uncomplicated firewall. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufw depends on: ii debconf [debconf-2.0] 1.5.69 ii iptables 1.8.1-2 ii lsb-base 9.20170808 ii python33.6.7-1 ii ucf3.0038 ufw recommends no packages. Versions of packages ufw suggests: ii rsyslog 8.38.0-1+b1 -- Configuration Files: /etc/default/ufw changed: IPV6=yes DEFAULT_INPUT_POLICY="ACCEPT" DEFAULT_OUTPUT_POLICY="ACCEPT" DEFAULT_FORWARD_POLICY="DROP" DEFAULT_APPLICATION_POLICY="SKIP" MANAGE_BUILTINS=no IPT_SYSCTL=/etc/ufw/sysctl.conf IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" -- debconf information: * ufw/existing_configuration: ufw/allow_custom_ports: ufw/enable: true ufw/allow_known_ports: --
