First Last Prev Next    This bug is not in your last search results.
Bug 53673 - disabled univention-firewall duplicates docker when restarted
disabled univention-firewall duplicates docker when restarted
Status: NEW
Product: UCS
Classification: Unclassified
Component: Firewall (univention-firewall)
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
https://git.knut.univention.de/univen...
:
Depends on: 50983 44829
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-18 07:59 CEST by Philipp Hahn
Modified: 2023-12-19 15:45 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2021-08-18 07:59:19 CEST 
+++ This bug was initially created as a clone of Bug #50983 +++
> systemctl stop univention-firewall.service
> systemctl start univention-firewall.service
or
> /etc/init.d/univention-firewall stop
> /etc/init.d/univention-firewall start

duplicate the docker rules each time the firewall is restarted when `security/packetfilter/disabled=True`:

see Bug #50983 comment 1 for an example.
Comment 1 Philipp Hahn univentionstaff 2021-08-18 08:10:26 CEST 
The real bug is in "stop"  in /etc/init.d/univention-firewall:
 71     stop)
 72         if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
 73             log_warning_msg "$NAME: iptables --wait seems to be unsupported."
 74         elif is_ucr_true security/packetfilter/disabled; then
 75             log_warning_msg "$DESC has been disabled.\nUse 'service univention-firewall flush' to remove existing iptable chains."
 76         else
 77             "$0" flush
 78             log_daemon_msg "Stopping $DESC"
 79         fi

When firewall is disabled "flush" never is called on "stop" so "start" just re-adds those rules again each time.

"stop" / "flush" probably should also do a
  iptables -X # delete all USER DEFINED rules
Comment 2 Philipp Hahn univentionstaff 2021-08-18 08:13:31 CEST 
Please also fix:
  8 # Short-Description: Univention iptables --wait configuration
by removing the " --wait" from there is the text is displayed by
> systemctl status univention-firewall.service 
> ● univention-firewall.service - LSB: Univention iptables --wait configuration
First Last Prev Next    This bug is not in your last search results.