Bug 53673

Summary: disabled univention-firewall duplicates docker when restarted
Product: UCS Reporter: Philipp Hahn <hahn>
Component: Firewall (univention-firewall)Assignee: UCS maintainers <ucs-maintainers>
Status: NEW --- QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5 CC: botner, damrose, schwardt
Version: UCS 5.0Flags: hahn: Patch_Available+
Target Milestone: ---   
Hardware: Other   
OS: Linux   
URL: https://git.knut.univention.de/univention/ucs/-/merge_requests/369
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=55807
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 50983, 44829    
Bug Blocks:    

Description Philipp Hahn univentionstaff 2021-08-18 07:59:19 CEST 
+++ This bug was initially created as a clone of Bug #50983 +++
> systemctl stop univention-firewall.service
> systemctl start univention-firewall.service
or
> /etc/init.d/univention-firewall stop
> /etc/init.d/univention-firewall start

duplicate the docker rules each time the firewall is restarted when `security/packetfilter/disabled=True`:

see Bug #50983 comment 1 for an example.
Comment 1 Philipp Hahn univentionstaff 2021-08-18 08:10:26 CEST 
The real bug is in "stop"  in /etc/init.d/univention-firewall:
 71     stop)
 72         if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
 73             log_warning_msg "$NAME: iptables --wait seems to be unsupported."
 74         elif is_ucr_true security/packetfilter/disabled; then
 75             log_warning_msg "$DESC has been disabled.\nUse 'service univention-firewall flush' to remove existing iptable chains."
 76         else
 77             "$0" flush
 78             log_daemon_msg "Stopping $DESC"
 79         fi

When firewall is disabled "flush" never is called on "stop" so "start" just re-adds those rules again each time.

"stop" / "flush" probably should also do a
  iptables -X # delete all USER DEFINED rules
Comment 2 Philipp Hahn univentionstaff 2021-08-18 08:13:31 CEST 
Please also fix:
  8 # Short-Description: Univention iptables --wait configuration
by removing the " --wait" from there is the text is displayed by
> systemctl status univention-firewall.service 
> ● univention-firewall.service - LSB: Univention iptables --wait configuration