Univention Bugzilla – Bug 53673
disabled univention-firewall duplicates docker when restarted
Last modified: 2023-12-19 15:45:42 CET
+++ This bug was initially created as a clone of Bug #50983 +++ > systemctl stop univention-firewall.service > systemctl start univention-firewall.service or > /etc/init.d/univention-firewall stop > /etc/init.d/univention-firewall start duplicate the docker rules each time the firewall is restarted when `security/packetfilter/disabled=True`: see Bug #50983 comment 1 for an example.
The real bug is in "stop" in /etc/init.d/univention-firewall: 71 stop) 72 if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then 73 log_warning_msg "$NAME: iptables --wait seems to be unsupported." 74 elif is_ucr_true security/packetfilter/disabled; then 75 log_warning_msg "$DESC has been disabled.\nUse 'service univention-firewall flush' to remove existing iptable chains." 76 else 77 "$0" flush 78 log_daemon_msg "Stopping $DESC" 79 fi When firewall is disabled "flush" never is called on "stop" so "start" just re-adds those rules again each time. "stop" / "flush" probably should also do a iptables -X # delete all USER DEFINED rules
Please also fix: 8 # Short-Description: Univention iptables --wait configuration by removing the " --wait" from there is the text is displayed by > systemctl status univention-firewall.service > ● univention-firewall.service - LSB: Univention iptables --wait configuration
https://git.knut.univention.de/univention/ucs/-/merge_requests/369