| Summary: | firehol doesn't report error output | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Tyler Montbriand <tyler> |
| Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | Redirects errors to stderr where they belong. | ||
Created attachment 242649 [details, diff]
Redirects errors to stderr where they belong.
+*firehol-1.273-r2 (02 Apr 2012) + + 02 Apr 2012; Pacho Ramos <pacho@gentoo.org> + +files/firehol-1.273-log-output.patch, +firehol-1.273-r2.ebuild: + Add missing kernel checks (#310797 by Phil Koenig, Tom Knight, Tyler + Montbriand), use static and fixed RESERVED_IPS file (#332135 by Richard Gray), + handle errors better (#332507 by Tyler Montbriand). + |
When you run firehol through the init script, it never displays any error text from failed ip commands. Reproducible: Always Steps to Reproduce: 1. Try and start firehol with a bad kernel config so it fails. /etc/init.d/firehol start 2. Now, run firehol by hand: /usr/sbin/firehol start Actual Results: When you run the init script, you see error messages like: ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : When you run it by hand, you see: ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : iptables: No chain/target/match by that name. Expected Results: The error output should be visible from the init script too. It turns out that the output text of the failed ip command is being written to stdout, even though the block of text prepending it is written to stderr! Quite probably a bug or oversight. The init system feeds stdout into /dev/null, so we never see it unless we run /usr/sbin/firehol by hand. I've attached a patch for the firehol script which fixes this misdirection. I've set this 'major' since it makes firehol very difficult to debug. See http://bugs.gentoo.org/show_bug.cgi?id=310797 's lack of output -- I'd been on a wild goose chase with that bug for much longer than that bug's been posted, "No chain/target/match by that name" would have told me exactly where to look.