debcrafters-packages team mailing list archive

Thread
Date

[Bug 2128668] Re: Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Mitchell Augustin <2128668@xxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Oct 2025 19:34:21 -0000
Reply-to: Bug 2128668 <2128668@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I figured something else out that I believe makes this a much less
complicated problem to solve.

It turns out that Ubuntu, despite having nftables installed by default,
does not directly have /usr/sbin/nft invoked by the UFW binary. In
reality, UFW configures its rules via /usr/sbin/iptables, which is by
default a symlink to /etc/alternatives/iptables, which is a symlink to
/usr/sbin/iptables-nft.

However, NetworkManager defaults to using /usr/sbin/nft if it's
installed, even though we really probably want it to go through
/etc/alternatives/iptables, since it seems like the UFW (and I think
also Docker's) rules are being directly set there. (and I'm guessing
that's why I am not having any luck overriding them via /usr/sbin/nft).

We discussed this internally, and we think the most appropriate approach
would be to override the default firewall backend via a config option,
which is already possible without any changes to upstream NM itself.

I'll submit a PR to Ubuntu's NM to install the following config:


debian/default-firewall-use-iptables.conf:

[main]
firewall-backend = iptables

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2128668

Title:
  Wi-Fi hotspot startup does not configure firewalls as needed for
  internet sharing

Status in network-manager package in Ubuntu:
  In Progress
Status in network-manager source package in Jammy:
  New
Status in network-manager source package in Noble:
  New
Status in network-manager source package in Plucky:
  New
Status in network-manager source package in Questing:
  New
Status in network-manager source package in Resolute:
  In Progress

Bug description:
  SRU Justification:

  [ Impact ]

  When a wi-fi hotspot is being broadcast, NetworkManager does not
  automatically configure all firewall rules as needed for clients to
  access the internet.

  [ Test Plan ]

  Start wi-fi hotspot on device running ufw that is connected to the
  internet

  [ Actual result ]
  Clients cannot connect to the internet via the hotspot. Only after adding custom firewall rules such as those described above can the client connect to the internet.

  [ Expected result ]
  Clients can connect to the internet via the hotspot

  [ Fix ]

  At minimum, the following is needed to enable this:

  1. Enable routing from wireless adapter to wired adapter (ex: sudo ufw route allow in on wlP9s9 out on enp1s0 (varies depending on adapter names))
  2. Set iptables forwarding rules correctly (ex: sudo iptables -P FORWARD ACCEPT)
  3. If the host is running its own DNS / DHCP servers, those will also have to be allowed by the firewall

  This is already implemented by NetworkManager. However, since
  applications like UFW configure firewall rules directly through
  /etc/sbin/iptables, NetworkManager needs to be configured to do so as
  well. Since we don't explicitly set a firewall backend to use in our
  config, NM checks for the existence of nftables and uses it since it
  is installed on Ubuntu, which is not sufficient to override the rules
  set via iptables by UFW and Docker.

  Therefore, the most straightforward solution is to configure Ubuntu's
  NetworkManager to use iptables as its firewall backend, bringing it in
  line with how UFW orchestrates its firewall rules.

  [ Where problems could occur ]

  While NetworkManager should be configuring the same rules regardless
  of the firewall backend used, any differences that might exist between
  how /usr/sbin/iptables and /usr/sbin/nftables handles the setup could
  manifest as user-visible differences in firewall behavior.
  Additionally, since /usr/sbin/iptables is a symlink to
  /etc/alternatives/iptables, a user who has changed their
  /etc/alternatives/iptables target could also deviate from the behavior
  of a default Ubuntu configuration.

  With that said, keeping this configuration as-is may also have risks
  beyond the hotspot sharing use-case, since even the default firewall
  profiles in NM are currently set via the nftables interface, which
  I've observed is not always in sync with the UFW-enforced rules set
  via /usr/sbin/iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2128668/+subscriptions

References

[Bug 2128668] [NEW] Wi-Fi hotspot startup does not configure firewalls as needed for internet sharing
From: Mitchell Augustin, 2025-10-16