ufw on 5.14.8-2-MANJARO-ARM
#1
My new Pinephone just came in the mail today. Everything's going great and I'm loving the phone but I just ran into a snag trying to do some basic security hardening.


ufw enable returns the following

Quote:ERROR: problem running ufw-init
iptables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Error occurred at line: 63
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ip6tables-restore v1.8.7 (legacy): Couldn't load match `hl':No such file or directory

Error occurred at line: 50
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
ip6tables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Error occurred at line: 21
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'



I've done a little bit of debugging and found some interesting things by stracing iptables. The following strace snippets show where iptables is failing

strace iptables -C INPUT -m limit

Quote:socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)          = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0xffffd599c688, [30]) = -1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "Couldn't load match `limit':No s"..., 54Couldn't load match `limit':No such file or directory

strace ip6tables -C INPUT -m limit

Quote:socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) = 3

fcntl(3, F_SETFD, FD_CLOEXEC)          = 0
newfstatat(AT_FDCWD, "/proc/net/ip6_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip6_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IPV6, IP6T_SO_GET_REVISION_MATCH, 0xffffe47f8038, [30]) = -1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "ip6tables v1.8.7 (legacy): ", 27ip6tables v1.8.7 (legacy): ) = 27
write(2, "Couldn't load match `limit':No s"..., 54Couldn't load match `limit':No such file or directory


strace ip6tables -C INPUT -m hl

Quote:socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC)          = 0
newfstatat(AT_FDCWD, "/proc/net/ip6_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip6_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IPV6, IP6T_SO_GET_REVISION_MATCH, 0xffffd790aae8, [30]) = -1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "ip6tables v1.8.7 (legacy): ", 27ip6tables v1.8.7 (legacy): ) = 27
write(2, "Couldn't load match `hl':No such"..., 51Couldn't load match `hl':No such file or directory


As you can see, the problem appears to be caused by a call to getsockopt with SOL_IPV6 and either IP6T_SO_GET_REVISION_MATCH or IPT_SO_GET_REVISION_MATCH. I haven't quite compiled enough kernels in my day to know for sure, but I suspect that 5.14.8-2-MANJARO-ARM may be missing  some flags which are required for these getsockopt calls to succeed. Can anybody confirm?
  Reply


Messages In This Thread
ufw on 5.14.8-2-MANJARO-ARM - by brkozak - 10-02-2021, 10:17 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
Heart Manjaro with i3 WM? Lubbvard-tentakel 1 1,666 04-03-2022, 02:30 PM
Last Post: Lubbvard-tentakel
  Waydroid now on manjaro !! wizmart 9 7,735 11-21-2021, 02:47 PM
Last Post: stozi
Question manjaro vs arch on Pinephone? dieselnutjob 2 3,304 09-03-2021, 05:07 PM
Last Post: bcnaz
  Low Battery indication (Manjaro/PostmarketOS with phosh) MamlinAV 3 5,170 12-16-2020, 03:44 AM
Last Post: dukla2000

Forum Jump:


Users browsing this thread: 1 Guest(s)