[Bug 1851056] Re: "Proceeding WITHOUT firewalling in effect!" warning

Valtteri Vainikka 1851056 at bugs.launchpad.net
Sun Nov 3 01:19:51 UTC 2019 

Just tested the systemd version from your PPA...

There are some changes:

[    1.883017] systemd[1]: systemd 242 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4>
[    1.901801] systemd[1]: Detected architecture x86-64.
[    1.903755] systemd[1]: Set hostname to <ubuntu>.
[    1.904376] systemd[1]: Failed to bump fs.file-max, ignoring: Invalid argument
[    1.904409] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
[    1.907029] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
[    1.948713] systemd[1]: /lib/systemd/system/dbus.socket:4: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socke>
[    1.981938] systemd[1]: Reached target Remote File Systems.
[    1.982012] systemd[1]: Listening on fsck to fsckd communication Socket.
[    1.982049] systemd[1]: Listening on udev Kernel Socket.
[    1.982612] systemd[1]: Listening on Syslog Socket.
[    1.982629] systemd[1]: system-systemd\x2dfsck.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.

So there is still the mention about the local system not supporting
BPF/cgroup firewalling (not sure if that is normal), but the "Proceeding
WITHOUT firewalling in effect!" warning is now gone with the new systemd
package.

With the old systemd package it used to be:

[    2.101034] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
[    2.136885] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
[    2.142209] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1851056

Title:
  "Proceeding WITHOUT firewalling in effect!" warning

Status in systemd package in Ubuntu:
  New

Bug description:
  Hello everyone,

  I noticed a strange systemd warning in my kernel log about "Proceeding
  WITHOUT firewalling in effect!" There is an older Debian bug mention
  about this same issue and it is said there that it was fixed last
  year: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872560

  Release: Ubuntu 19.10, fresh install, latest updates with updates-testing repository enabled
  Systemd-package version: 242-7ubuntu3
  Kernel: Linux 5.3.0-21-generic

  Here is the relevant warning information via running sudo dmesg after
  boot:

  [    2.096064] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
  [    2.101034] Lockdown: systemd: BPF is restricted; see man kernel_lockdown.7
  [    2.136885] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
  [    2.142209] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
  [    2.158190] systemd[1]: /lib/systemd/system/dbus.socket:4: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
  [    2.197029] systemd[1]: Listening on Journal Socket.
  [    2.203708] systemd[1]: Starting Create list of required static device nodes for the current kernel...
  [    2.243900] bpfilter: Loaded bpfilter_umh pid 420
  #Continues normally from here without anything that seems odd

  The included attachment .txt has more information. From what I've read
  online from various bug trackers from other distributions this should
  be related to a missing kernel option (CONFIG_BPF_SYSCALL=y), but this
  option seems to be enabled:

  # Output after running in commandline: grep BPF /boot/config-`uname -r`
  # Kernel settings seem to be correct?
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_JIT_ALWAYS_ON=y
  CONFIG_IPV6_SEG6_BPF=y
  CONFIG_NETFILTER_XT_MATCH_BPF=m
  CONFIG_BPFILTER=y
  CONFIG_BPFILTER_UMH=m
  CONFIG_NET_CLS_BPF=m
  CONFIG_NET_ACT_BPF=m
  CONFIG_BPF_JIT=y
  CONFIG_BPF_STREAM_PARSER=y
  CONFIG_LWTUNNEL_BPF=y
  CONFIG_HAVE_EBPF_JIT=y
  CONFIG_BPF_EVENTS=y
  CONFIG_BPF_KPROBE_OVERRIDE=y
  CONFIG_TEST_BPF=m

  Also my friend just installed 19.10 on his machine and is seeing the
  same warning, but I haven't found anyone else mentioning this issue at
  least on the latest Ubuntu 19.10. The same warning message is
  appearing if I run Ubuntu 19.10 in live mode from the USB stick.

  What I expected to happen: no such error (it doesn't appear on Fedora
  or openSUSE Tumbleweed that I've recently had installed on my other
  SSD)

  What happened instead: error appears during every boot sequence

  It's also worth stressing that the firewall is functioning just fine
  (using standard ufw) despite the error, so I'm guessing this is a
  harmless warning.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1851056/+subscriptions

More information about the foundations-bugs mailing list