Simply not working

[radiolondra]

Ubuntu 20.04 LTS iptables 1.8.7 ipset 7.15

I installed ufw-blocklist following the README guidelines.

This is my ufw-blocklist folder:

drwxrwxr-x  3 vidguru vidguru  4096 Nov 12 11:14 .
drwxr-xr-x 12 vidguru vidguru  4096 Nov 12 11:14 ..
-rwxr-x---  1 vidguru vidguru  4569 Nov 12 11:14 after.init
-rw-rw-r--  1 vidguru vidguru  1965 Nov 12 11:14 after.init_run-parts
drwxrwxr-x  8 vidguru vidguru  4096 Nov 12 11:14 .git
-rw-rw-r--  1 vidguru vidguru 35149 Nov 12 11:14 LICENSE
-rw-rw-r--  1 vidguru vidguru  7128 Nov 12 11:14 README.md
-rwxr-x---  1 vidguru vidguru  3180 Nov 12 11:14 ufw-blocklist-ipsum

At this time ufw was enabled and running. Executing guidelines:

vidguru@vmi227030:~/ufw-blocklist$ chmod 750 after.init ufw-blocklist-ipsum
vidguru@vmi227030:~/ufw-blocklist$ sudo cp after.init /etc/ufw/after.init
vidguru@vmi227030:~/ufw-blocklist$ sudo cp ufw-blocklist-ipsum /etc/cron.daily/ufw-blocklist-ipsum
vidguru@vmi227030:~/ufw-blocklist$ curl -sS -f --compressed -o ipsum.4.txt 'https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt'
vidguru@vmi227030:~/ufw-blocklist$ chmod 640 ipsum.4.txt
vidguru@vmi227030:~/ufw-blocklist$ sudo cp ipsum.4.txt /etc/ipsum.4.txt

Note: to have the copied /etc/ufw/after-init executable, I had to chmod it (750) in /etc/ufw directly.

reloading ufw:

vidguru@vmi227030:~/ufw-blocklist$ sudo ufw reload
ERROR: problem running ufw-init <<<--------
iptables v1.8.7 (nf_tables): Chain 'ufw-blocklist-input' does not exist
Try `iptables -h' or 'iptables --help' for more information.

After that, I enabled ufw again manually:

vidguru@vmi227030:~/ufw-blocklist$ sudo ufw status
Status: inactive
vidguru@vmi227030:~/ufw-blocklist$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
vidguru@vmi227030:~/ufw-blocklist$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

And finally I tried to reload ufw:

vidguru@vmi227030:~/ufw-blocklist$ sudo ufw reload
ERROR: problem running ufw-init <<<--------
ipset v7.15: Set cannot be destroyed: it is in use by a kernel component

vidguru@vmi227030:~/ufw-blocklist$

I did the whole process several times, updated iptables, ufw, ipset, ... without any success. I don't know what else I should do. Any idea?

Thanks

[poddmo]

Thank you for the well-written report. I tested the process in a fresh VM and replicated the issue.

The problem occurs because the ufw reload issues ufw stop and that triggers after.init stop, which is where the ufw-init error messages come from, and that fails due to a lack of checks for expected state. The expected state doesn't exist because the script had never been run with the start command.

The procedure should have been to run /etc/ufw/after.init start instead of the ufw reload. I've updated the readme for this.

Above where you issue ufw enable and that returns without error, indicates the blocklist is starting without issue.

I've just committed changes to after.init that should help to clear the reload/stop problem. Download the current after.init and issue /etc/ufw/after.init stop perhaps a couple of times might fix the problem by deleting the extra iptables rules that are using the set.

Please let me know how you go.

[poddmo]

I have tested the installation process changes to the documentation using the latest (v3.0) code in a fresh VM and affirm that this issue is resolved. Thank you for reporting the issue.