Shorewall devel - Aug 2011 - Possible cosmetic issue - shorewall hits

Hi, I''m sorry I like to try and submit fixes if I can.  Short of time
here:

Running shorewall-4.4.22 (not latest beta), I observe that "shorewall
hits" gives output:

...
  HITS IP              PORT   ---- --------------- -----
     14 192.168.105.70  sh: invalid number ''''0
...

I *think* this is because of some ICMP entries in the log file:

Aug 31 09:30:37 localhost kern.info kernel: [142338.667337]
Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=87.248.120.148
LEN=38 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=52515 SEQ=12 MARK=0xd00ff

This is basically cosmetic though. Not a real issue

Note I am running this under busybox ash shell, so it''s entirely
possible this is an artifact of my shell and doesn''t appear on bash?

Thanks

Ed W

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Wed, 2011-08-31 at 14:20 +0100, Ed W wrote:
> Hi, I''m sorry I like to try and submit fixes if I can.  Short of
time here:
> 
> Running shorewall-4.4.22 (not latest beta), I observe that "shorewall
> hits" gives output:
> 
> ...
>   HITS IP              PORT   ---- --------------- -----
>      14 192.168.105.70  sh: invalid number ''''0
> ...
> 
> I *think* this is because of some ICMP entries in the log file:
> 
> Aug 31 09:30:37 localhost kern.info kernel: [142338.667337]
> Shorewall:fw2net:LOG:IN= OUT=eth0 SRC=192.168.105.70 DST=87.248.120.148
> LEN=38 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
> ID=52515 SEQ=12 MARK=0xd00ff
> 
That is unlikely to be the cause. Log records for that part of the
''hits'' output are selected using this invocation of grep:

	 grep "${today}IN=.* OUT=.*DPT"

So it is likely to be a busybox issue. Why don''t you:

	shorewall trace hits 2> trace

and see what''s happening?

-Tom	
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On 31/08/2011 14:56, Tom Eastep wrote:
> So it is likely to be a busybox issue. Why don''t you:
>
> 	shorewall trace hits 2> trace
Hi, it''s late, so I''m probably not thinking clearly.  The
trace also
hints at some log line like the one I posted I think?  I think I counted
the ICMP lines in the log file and indeed there were 14?

Trace output below, help appreciated (note I''m copy/pasting over a
serial console and it wraps at odd places):


+ shift
+ hits_command
+ local finished
+ finished=0
+ local today
+ today+ [ 0 -eq 0 -a 0 -gt 0 ]
+ [ 0 -eq 0 ]
+ clear_term
+ [ -t 1 ]
+ clear
+ date
+ echo Shorewall 4.4.22.3 Hits at localhost - Wed Aug 31 22:52:55 UTC 2011
+ echo
+ timeout=30
+ grep -q IN=.* OUT+ tac /var/log/messages
+ echo    HITS IP               DATE
+ echo    ---- --------------- ------
+ read count address month day
+ sort -rn
+ uniq -c
+ sort
+ sed s/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3        \1/
+ grep IN=.* OUT+ tac /var/log/messages
+ printf %7d %-15s %3s %2d\n 37 192.168.105.70 Aug 31
+ read count address month day
+ echo
+ echo    HITS IP               PORT
+ echo    ---- --------------- -----
+ sort -rn
+ uniq -c
+ sort
+ sed s/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2        \4/
                                                t
                                                s/\(.*SRC=\)\(.*\)\(
DST=.*\)/\2/
+ grep IN=.* OUT+ tac /var/log/messages
+ read count address port
+ printf %7d %-15s %d\n 14 192.168.105.70
sh: invalid number ''''
+ read count address port
+ printf %7d %-15s %d\n 1 192.168.105.70 33457
+ read count address port
+ printf %7d %-15s %d\n 1 192.168.105.70 33456
+ read count address port
...
...



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Aug 31, 2011, at 3:57 PM, Ed W wrote:
> 
> Hi, it''s late, so I''m probably not thinking clearly.  The
trace also
> hints at some log line like the one I posted I think?  I think I counted
> the ICMP lines in the log file and indeed there were 14?
> 
> Trace output below, help appreciated (note I''m copy/pasting over a
> serial console and it wraps at odd places):
> 
> 
> + shift
> + hits_command
> + local finished
> + finished=0
> + local today
> + today> + [ 0 -eq 0 -a 0 -gt 0 ]
> + [ 0 -eq 0 ]
> + clear_term
> + [ -t 1 ]
> + clear
> + date
> + echo Shorewall 4.4.22.3 Hits at localhost - Wed Aug 31 22:52:55 UTC 2011
> + echo
> + timeout=30
> + grep -q IN=.* OUT> + tac /var/log/messages
> + echo    HITS IP               DATE
> + echo    ---- --------------- ------
> + read count address month day
> + sort -rn
> + uniq -c
> + sort
> + sed s/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3        \1/
> + grep IN=.* OUT> + tac /var/log/messages
> + printf %7d %-15s %3s %2d\n 37 192.168.105.70 Aug 31
> + read count address month day
> + echo
> + echo    HITS IP               PORT
> + echo    ---- --------------- -----
> + sort -rn
> + uniq -c
> + sort
> + sed s/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2        \4/
>                                                t
>                                                s/\(.*SRC=\)\(.*\)\(
> DST=.*\)/\2/
> + grep IN=.* OUT> + tac /var/log/messages
> + read count address port
> + printf %7d %-15s %d\n 14 192.168.105.70
> sh: invalid number ''''
> 

The ''invalid number'' message is a feature of busybox printf.
The attached patch makes busybox output look like that of other environments.

-Tom





Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev