10-02-2021, 10:17 AM
My new Pinephone just came in the mail today. Everything's going great and I'm loving the phone but I just ran into a snag trying to do some basic security hardening.
ufw enable returns the following
I've done a little bit of debugging and found some interesting things by stracing iptables. The following strace snippets show where iptables is failing
strace iptables -C INPUT -m limit
strace ip6tables -C INPUT -m limit
strace ip6tables -C INPUT -m hl
As you can see, the problem appears to be caused by a call to getsockopt with SOL_IPV6 and either IP6T_SO_GET_REVISION_MATCH or IPT_SO_GET_REVISION_MATCH. I haven't quite compiled enough kernels in my day to know for sure, but I suspect that 5.14.8-2-MANJARO-ARM may be missing some flags which are required for these getsockopt calls to succeed. Can anybody confirm?
ufw enable returns the following
Quote:ERROR: problem running ufw-init
iptables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 63
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ip6tables-restore v1.8.7 (legacy): Couldn't load match `hl':No such file or directory
Error occurred at line: 50
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
ip6tables-restore v1.8.7 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 21
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'
I've done a little bit of debugging and found some interesting things by stracing iptables. The following strace snippets show where iptables is failing
strace iptables -C INPUT -m limit
Quote:socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0xffffd599c688, [30]) = -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "Couldn't load match `limit':No s"..., 54Couldn't load match `limit':No such file or directory
strace ip6tables -C INPUT -m limit
Quote:socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
newfstatat(AT_FDCWD, "/proc/net/ip6_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip6_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IPV6, IP6T_SO_GET_REVISION_MATCH, 0xffffe47f8038, [30]) = -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "ip6tables v1.8.7 (legacy): ", 27ip6tables v1.8.7 (legacy): ) = 27
write(2, "Couldn't load match `limit':No s"..., 54Couldn't load match `limit':No such file or directory
strace ip6tables -C INPUT -m hl
Quote:socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
newfstatat(AT_FDCWD, "/proc/net/ip6_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip6_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IPV6, IP6T_SO_GET_REVISION_MATCH, 0xffffd790aae8, [30]) = -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "ip6tables v1.8.7 (legacy): ", 27ip6tables v1.8.7 (legacy): ) = 27
write(2, "Couldn't load match `hl':No such"..., 51Couldn't load match `hl':No such file or directory
As you can see, the problem appears to be caused by a call to getsockopt with SOL_IPV6 and either IP6T_SO_GET_REVISION_MATCH or IPT_SO_GET_REVISION_MATCH. I haven't quite compiled enough kernels in my day to know for sure, but I suspect that 5.14.8-2-MANJARO-ARM may be missing some flags which are required for these getsockopt calls to succeed. Can anybody confirm?