Hi,
Shorewall is a great project -- I''ve used it for a while now and it
really does a great job. Thanks to all the people who put their work
into it.
I''ve stumbled across a bug while preparing to make a change to my rules
file. It seems that the backslash character "\" continues comment
lines. I don''t think this is desirable behavior as it causes very
unexpected behavior when you comment out a line that ends in "\".
Backstory: While preparing to make a change to the rules file, new rules
were added in a commented state. shorewall restart was run at some
point which caused strange brokeness in the firewall. diffs against the
last know working config which was untouched for months showed only the
addition of the commented rules which led to a very puzzled debugging
session.
The new commented rule was added like this, which seems to have turned
the entire rule into a comment:
#DNAT net:x.x.x.x,y.y.y.y \
DNAT net:x.x.x.x \
internal:10.0.0.123 tcp 3306 - z.z.z.z
Cheers,
ds
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
David Sparks wrote:> Hi, > > Shorewall is a great project -- I''ve used it for a while now and it > really does a great job. Thanks to all the people who put their work > into it. > > I''ve stumbled across a bug while preparing to make a change to my rules > file. It seems that the backslash character "\" continues comment > lines. I don''t think this is desirable behavior as it causes very > unexpected behavior when you comment out a line that ends in "\". > > > Backstory: While preparing to make a change to the rules file, new rules > were added in a commented state. shorewall restart was run at some > point which caused strange brokeness in the firewall. diffs against the > last know working config which was untouched for months showed only the > addition of the commented rules which led to a very puzzled debugging > session. > > The new commented rule was added like this, which seems to have turned > the entire rule into a comment: > > #DNAT net:x.x.x.x,y.y.y.y \ > DNAT net:x.x.x.x \ > internal:10.0.0.123 tcp 3306 - z.z.z.z >This is a function of the shell -- Shorewall has no control over it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi,> This is a function of the shell -- Shorewall has no control over it.Thanks for the response. After a bit of digging I see its the shell''s read() call that is responsible. Strangely enough, the command interpreter part of the shell properly handles commented \ at eol. I guess I can live with this limitation now that I know about it. Kudos for your hard work on Shorewall! ds ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
David Sparks wrote:> Hi, > >> This is a function of the shell -- Shorewall has no control over it. > > Thanks for the response. After a bit of digging I see its the shell''s > read() call that is responsible. Strangely enough, the command > interpreter part of the shell properly handles commented \ at eol.In the case you are seeing though, by the time that Shorewall sees the ''line'', the trailing \ characters have caused concatenation. So when Shorewall discards everything past the first "#", it doesn''t know that it is dropping multiple lines from the original file.> I guess I can live with this limitation now that I know about it.I''m glad, since I don''t believe that there is anything I can do about it.> Kudos for your hard work on Shorewall!Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642