debcrafters-packages team mailing list archive

Thread
Date

[Bug 2128668] Re: Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Mitchell Augustin <2128668@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Oct 2025 23:13:09 -0000
Reply-to: Bug 2128668 <2128668@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Notes from my research on this today:

sudo iptables -P FORWARD ACCEPT is not something that is needed on
Ubuntu devices out-of-the-box. Some of our test devices have many rules
set by Docker and other apps, and some forum posts I'm reading are
saying that Docker overrides the firewall rules and sets the FORWARD
policy to DROP, so I think that's why some device behavior differs.

The only thing that NetworkManager's upstream dev said[0] it does with
the native iptables is setting up masquerading, and that the rest of the
firewall config is done via firewalld, which we do not use.


So at this point, the main thing I'm looking into is figuring out if NetworkManager upstream wants us to put the UFW rule handling into NetworkManager, for any Ubuntu users who have UFW enabled. I also asked if they want to set this iptables rule explicitly, since the current upstream implementation relies on firewalld and isn't distro-agnostic.

In the meantime, the dispatcher script I prepared can be used to work
around this.

[0]
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1827#note_3150787

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2128668

Title:
  Wi-Fi hotspot startup does not configure firewalls as needed for
  internet sharing

Status in network-manager package in Ubuntu:
  In Progress

Bug description:
  SRU Justification:

  [ Impact ]

  When a wi-fi hotspot is being broadcast, NetworkManager does not
  automatically configure all firewall rules as needed for clients to
  access the internet.

  [ Test Plan ]

  Start wi-fi hotspot on device running ufw that is connected to the
  internet

  [ Actual result ]
  Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet.

  [ Expected result ]
  Clients can connect to the internet via the hotspot

  [ Fix ]

  At minimum, the following is needed to enable this:

  1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names))
  2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT)
  3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall

  (Discussion ongoing upstream)

  [ Where problems could occur ]

  Specifics to be researched

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions

References

[Bug 2128668] [NEW] Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing
From: Mitchell Augustin, 2025-10-16