Summary: | Shorewall 3.0.4 dies in shell script parsing interfaces file | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | David W Noon <david.w.noon> |
Component: | [OLD] Server | Assignee: | Gentoo Netmon project <netmon> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | CC: | rentorbuy, ticho |
Priority: | High | ||
Version: | 2005.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
David W Noon
2006-02-14 12:20:43 UTC
You did update everything in /etc/shorewall, right? There have been drastic changes between 2.4.2 and 3.0.4. (In reply to comment #1) > You did update everything in /etc/shorewall, right? There have been drastic > changes between 2.4.2 and 3.0.4. Yes, I completely reworked all of the configuration files using the HTML manuals where needed. Note that even if there had been "legacy" configuration entries, dying in a shell script is not the ideal way to report them. ... :-) After some investigation, I know where the problem lies. /usr/share/shorewall/firewall, line 1195: addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) This line doesn't cause trouble unless your interface is called "inet". For "eth0", output of `ip -f addr show eth0` is for example: 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 147.175.171.246/25 brd 147.175.255.255 scope global eth0 Grep for "inet" only leaves second line - correctly. If your interface is called "inet", however, trouble hits: 1: inet: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 147.175.171.246/25 brd 147.175.255.255 scope global eth0 Grep for "inet", followed by `head -n1` picks up first line - incorrectly. Can you please change the line 1195 in /usr/share/shorewall/firewall to: addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet\ | head -n1) (add backslash and a space after "grep inet") Try `shorewall check` after changing this line. Perhaps, though, there will be more trouble elsewhere. Looks like shorewall authors didn't anticipate the possibility of someone naming their interface "inet". (In reply to comment #3) > After some investigation, I know where the problem lies. Your analysis has proven correct. > Grep for "inet", followed by `head -n1` picks up first line - incorrectly. > > Can you please change the line 1195 in /usr/share/shorewall/firewall to: > > addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet\ | head -n1) This change worked. Many thanks! However ... My feeling is that grep and tail are the wrong tools for this job. They could both be replaced by gawk and this bug or thers like it eliminated. For example: addr=$(ip -f inet addr show $interface 2> /dev/null | gawk 'BEGIN { getline; print }') Such a change would have 3 immediate advantages: 1. It is lexically simpler, so easier to maintain. 2. It would not assume any particular character string or regular expression to identify the required line. [I.e. no *assumption* of uniqueness.] 3. It would run marginally faster, as there are now only 2 external processes in the sub-shell expression instead of 3. The above comment applies in several places in the /usr/share/shorewall/firewall script. The use of (grep|head) or (grep|tail) is a frequent site of bugs in shell scripts. > Looks like shorewall authors didn't anticipate the possibility of someone > naming their interface "inet". Assumptions always end up biting somebody! [But why me? ... :-) ] I have subscribed to shorewall users mailinglist, and will try to bring this bug report up there, as I have noticed this hasn't been fixed in 3.0.5 - understandingly, as this is a "twilight zone" bug, which is relevant to perhaps one or two specific users. Thank you for reporting. Thanks for the help Andrej :-)! |