The problems started with upgrading bash to 3.2_p3. The same sort of errors appear with the production firehol.conf as well as with the factory template used below for simplicity. home ~ # cat /etc/firehol/firehol.conf version 5 # Accept all client traffic on any interface interface any world client all accept home ~ # /etc/init.d/firehol restart * Restarting Firewall ... * WARNING: firehol has not yet been started. * Starting FireHOL ... -------------------------------------------------------------------------------- ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 2. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_world_all_c1 -m state '' --state ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 3. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_irc_c2 -p tcp --sport 32768:61000 --dport 6667 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 4. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_world_irc_c2 -p tcp --sport 6667 --dport 32768:61000 -m state '' --state ESTABLISHED -j ACCEPT OUTPUT : <more errors of this sort> [ !! ] home ~ # emerge --info Portage 2.1.2_rc1-r2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.5-r0, 2.6.18-gentoo-r1 i686) ================================================================= System uname: 2.6.18-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz Gentoo Base System version 1.12.6 Last Sync: Thu, 02 Nov 2006 19:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -mtune=prescott -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -mtune=prescott -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF8" LC_ALL="en_US.UTF8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/obelix" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl alsa apache2 avi bash-completion bzip2 cairo cdr crypt cups dbus djvu doc dri dts dvd dvdr dvdread elibc_glibc encode esd exif fam ffmpeg firefox flac gd gif glitz glut gmp gnutls gphoto2 gpm gstreamer gtk gtk2 hal howl imagemagick input_devices_evdev input_devices_keyboard input_devices_mouse jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux lcms linguas_de linguas_en logrotate mad mikmod mmap mmx mng mp3 mpeg ncurses nls nptl nsplugin nvidia ogg opengl pam pdf pic png qt qt3 quicktime readline samba sdl session snmp spell sqlite sse sse2 ssl svg threads tidy tiff truetype unicode usb userland_GNU vcd video_cards_fbdev video_cards_nv video_cards_nvidia video_cards_vesa video_cards_vga vorbis win32codecs wmf x86 xine xml xml2 xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Downgrade to bash-3.1_p17 fixes the issue.
This sounds similar to Bug 139526, although this one was reported for bash-3.1p17, there it was related to the hardened flag. Seems we should patch firehol to work around this problem.
Created attachment 101406 [details] testapplication to show where bash behaves differently I cannot reproduce this for me right now. Can you please run the attached script and attach the output to show me where it fails in your installation?
The output with both bash 3.2 and 3.1 is: -m state --state -m state --state -m state ! --state -m state ! --state Running /usr/sbin/firehol start instead of /etc/init.d/firehol start seems to reveal more information: home ~ # /usr/sbin/firehol start FireHOL: Saving your old firewall to a temporary file: OK FireHOL: Processing file /etc/firehol/firehol.conf: OK FireHOL: Activating new firewall (41 rules): -------------------------------------------------------------------------------- ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : Try `iptables -h' or 'iptables --help' for more information. Bad argument `' ... Also: home ~ # /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT Bad argument `' Try `iptables -h' or 'iptables --help' for more information. home ~ # /sbin/iptables -t filter -A out_world_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT # Just -m state, no '' iptables: No chain/target/match by that name home ~ # iptables iptables v1.3.6: no command specified Try `iptables -h' or 'iptables --help' for more information. home ~ # iptables '' Bad argument `' Try `iptables -h' or 'iptables --help' for more information. home ~ # echo $BASH_VERSION 3.2.3(1)-release home ~ # Looks like the empty quote '' after -m state is causing the trouble.
iptables calls with -m state '' also fail under bash 3.1. But /usr/sbin/firehol debug shows that under bash 3.1 firehol generates iptables calls containing just -m state whereas under 3.2 they contain -m state '' and hence fail.
*** Bug 157045 has been marked as a duplicate of this bug. ***
I have now added Version 1.250 as "~x86 ~ppc" and replaced %q with %b in the printf-statements. Please check if this solves your problem. The new version should be available on the mirrors soon.
Should be fixed now.
The new version fails to patch: home ~ # emerge -1 firehol Calculating dependencies... done! >>> Emerging (1 of 1) net-firewall/firehol-1.250 to / * firehol-1.226.tar.bz2 MD5 ;-) ... [ ok ] * firehol-1.226.tar.bz2 RMD160 ;-) ... [ ok ] * firehol-1.226.tar.bz2 SHA1 ;-) ... [ ok ] * firehol-1.226.tar.bz2 SHA256 ;-) ... [ ok ] * firehol-1.226.tar.bz2 size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking firehol-1.226.tar.bz2 ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking firehol-1.226.tar.bz2 to /var/tmp/portage/net-firewall/firehol-1.250/work * Applying firehol-1.226-to-228.patch ... [ ok ] * Applying firehol-1.226-to-250.patch ... * Failed Patch: firehol-1.226-to-250.patch ! * ( /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-31437.out !!! ERROR: net-firewall/firehol-1.250 failed. Call stack: ebuild.sh, line 1603: Called dyn_unpack ebuild.sh, line 732: Called src_unpack firehol-1.250.ebuild, line 45: Called epatch '/usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch' eutils.eclass, line 341: Called die !!! Failed Patch: firehol-1.226-to-250.patch! !!! If you need support, post the topmost build error, and the call stack if relevant. home ~ # cat /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-31437.out ***** firehol-1.226-to-250.patch ***** ====================================== PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== patching file firehol.sh Hunk #1 FAILED at 10. Hunk #5 FAILED at 171. Hunk #43 FAILED at 5415. Hunk #44 FAILED at 5601. Hunk #47 FAILED at 5907. Hunk #48 FAILED at 5990. 6 out of 49 hunks FAILED -- saving rejects to file firehol.sh.rej ====================================== PATCH COMMAND: patch -p1 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p2 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p3 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p4 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- firehol.new 2006-12-27 14:13:39.000000000 +0100 |+++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored
*** Bug 159311 has been marked as a duplicate of this bug. ***
sorry, seems a wrong patch went into CVS, I'm not sure how it worked for me during testing... The latest version in CVS should work now.
Please excuse me if this is due to sync mirror lag but it still fails here: ... * Failed Patch: firehol-1.226-to-250.patch ! * ( /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/net-firewall/firehol-1.250/temp/firehol-1.226-to-250.patch-14293.out ... ***** firehol-1.226-to-250.patch ***** ====================================== PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p1 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== patching file firehol.sh Hunk #1 FAILED at 10. Hunk #5 FAILED at 171. Hunk #43 FAILED at 5415. Hunk #44 FAILED at 5601. Hunk #47 FAILED at 5907. Hunk #48 FAILED at 5990. 6 out of 49 hunks FAILED -- saving rejects to file firehol.sh.rej ====================================== PATCH COMMAND: patch -p2 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p3 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored ====================================== PATCH COMMAND: patch -p4 -g0 -E --no-backup-if-mismatch < /usr/portage/net-firewall/firehol/files/firehol-1.226-to-250.patch ====================================== missing header for unified diff at line 4 of patch can't find file to patch at input line 4 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh |--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 |+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 -------------------------- No file to patch. Skipping patch. 49 out of 49 hunks ignored
I don't think this is a mirror lag, the Changelog does mention the entry for "Fix invalid patch", but epatch still fails
I don't understand this. It works befor I commit it to CVS, but it down't work afterwards. Let me take a look again and see what happens here.
I think I finally found out what happened, it was caused by the way I created the patches directly from the CVS-version and some automatic CVS-replacement that I was not aware of (Id-Tag), I hope this is finally fixed now.
*** Bug 159480 has been marked as a duplicate of this bug. ***
After latest sync, 1.250 emerges fine and works OK with bash 3.1 on hardened profile (confirms bug #139526 is finally stumped)
The new firehol now emerges fine and works smoothly with bash 3.2, thanks. Happy Holidays Everyone :)
Hi, Check this: # printf " %q\n" a b c "d e f g" a b c d\ e\ f\ g while: # printf " %b\n" a b c "d e f g" a b c d e f g Note that %b loses the backslashes. Using %b instead of %q will break firehol in cases where the generated iptables commands need to have arguments with whitespaces in them. Regards.