After upgrading shorewall from 2.4.2 to 3.0.4, the new configuration crashes during firewall initialization. After running "shorewall check" I get the following: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Not available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Available Verifying Configuration... Determining Zones... IPv4_Zones: net loc Firewall Zone: fw Setting up IPSEC... Validating interfaces file... /usr/share/shorewall/functions: line 627: [: inet:: integer expression expected /usr/share/shorewall/functions: line 627: 32 - inet: : syntax error in expression (error token is ": ") /usr/share/shorewall/functions: line 515: 0 | 3: : syntax error in expression (error token is ": ") /usr/share/shorewall/functions: line 669: & : syntax error: operand expected (error token is "& ") It is dying while parsing /etc/shorewall/interfaces. The only 2 non-comment lines are these: net inet detect dhcp,routefilter,norfc1918,logmartians loc lan detect dhcp [Note that my ethernet interfaces are indeed named "inet" and "lan", exactly as specified above. They were named that way when running shorewall 2.4.2.] If needed, I can attach the entire interfaces file. However, it should be clear from the error messages which line was being parsed when the software crashed. My emerge info details are as follows: Gentoo Base System version 1.6.14 Portage 2.0.54 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-gentoo-r5 i686) ================================================================= System uname: 2.6.14-gentoo-r5 i686 AMD Athlon(tm) MP 2800+ dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.8.1-r1, 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-mp -mmmx -m3dnow -msse -mfpmath=sse,387 -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/fax /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-mp -mmmx -m3dnow -msse -mfpmath=sse,387 -O3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.mirrorservice.org/sites/www.ibiblio.org/gentoo/ ftp://mirror.switch.ch/mirror/gentoo ftp://ftp.solnet.ch/mirror/Gentoo" LINGUAS="en_GB" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/lib/portage/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 3dnow X aalib acl ada alsa apm arts audiofile avi berkdb bitmap-fonts bzip2 cdr crypt cups curl doc dvd eds emboss encode esd exif expat f77 fam ffmpeg flac foomaticdb fortran gcj gd gdbm gif glut gmp gnome gpm gstreamer gtk gtk2 gtkhtml idn imagemagick imlib ipv6 java jpeg kde lcms libg++ libwww lua mad mikmod mmx mng motif mozilla mp3 mpeg ncurses nls nptl nptlonly objc odbc ogg oggvorbis opengl oss pam pcre pdflib perl png postgres python qt quicktime readline sdl slang spell sqlite sse ssl svg svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts udev vorbis xine xml2 xmms xv zlib linguas_en_GB userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY
You did update everything in /etc/shorewall, right? There have been drastic changes between 2.4.2 and 3.0.4.
(In reply to comment #1) > You did update everything in /etc/shorewall, right? There have been drastic > changes between 2.4.2 and 3.0.4. Yes, I completely reworked all of the configuration files using the HTML manuals where needed. Note that even if there had been "legacy" configuration entries, dying in a shell script is not the ideal way to report them. ... :-)
After some investigation, I know where the problem lies. /usr/share/shorewall/firewall, line 1195: addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) This line doesn't cause trouble unless your interface is called "inet". For "eth0", output of `ip -f addr show eth0` is for example: 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 147.175.171.246/25 brd 147.175.255.255 scope global eth0 Grep for "inet" only leaves second line - correctly. If your interface is called "inet", however, trouble hits: 1: inet: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 147.175.171.246/25 brd 147.175.255.255 scope global eth0 Grep for "inet", followed by `head -n1` picks up first line - incorrectly. Can you please change the line 1195 in /usr/share/shorewall/firewall to: addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet\ | head -n1) (add backslash and a space after "grep inet") Try `shorewall check` after changing this line. Perhaps, though, there will be more trouble elsewhere. Looks like shorewall authors didn't anticipate the possibility of someone naming their interface "inet".
(In reply to comment #3) > After some investigation, I know where the problem lies. Your analysis has proven correct. > Grep for "inet", followed by `head -n1` picks up first line - incorrectly. > > Can you please change the line 1195 in /usr/share/shorewall/firewall to: > > addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet\ | head -n1) This change worked. Many thanks! However ... My feeling is that grep and tail are the wrong tools for this job. They could both be replaced by gawk and this bug or thers like it eliminated. For example: addr=$(ip -f inet addr show $interface 2> /dev/null | gawk 'BEGIN { getline; print }') Such a change would have 3 immediate advantages: 1. It is lexically simpler, so easier to maintain. 2. It would not assume any particular character string or regular expression to identify the required line. [I.e. no *assumption* of uniqueness.] 3. It would run marginally faster, as there are now only 2 external processes in the sub-shell expression instead of 3. The above comment applies in several places in the /usr/share/shorewall/firewall script. The use of (grep|head) or (grep|tail) is a frequent site of bugs in shell scripts. > Looks like shorewall authors didn't anticipate the possibility of someone > naming their interface "inet". Assumptions always end up biting somebody! [But why me? ... :-) ]
I have subscribed to shorewall users mailinglist, and will try to bring this bug report up there, as I have noticed this hasn't been fixed in 3.0.5 - understandingly, as this is a "twilight zone" bug, which is relevant to perhaps one or two specific users. Thank you for reporting.
Thanks for the help Andrej :-)!
