Package: shorewall Version: 5.2.8-1 Severity: important Tags: ipv6 patch security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Starting ipv6 firewall gives an error message. The firewall still starts, though. $ sudo shorewall6 stop Stopping Shorewall6.... /var/lib/shorewall6/firewall: 776: [: 64: unexpected operator Preparing ip6tables-restore input... Running /sbin/ip6tables-restore --wait 60... done. $ The problem is in /usr/share/shorewall/lib.runtime which compiles the script. The line that spills the error message is in funcion convert_to_anycast(): while read address; do case $address in 2*|3*) vlsm=${address#*/} vlsm=${vlsm:=128} *** THIS ONE *** if [ $vlsm -le 120 ]; then # # Defines a viable subnet -- first get the subnet-router anycast address # host=$((128 - $vlsm)) $address and therefore $vlsm should contain the ip address. However, in my case it ends up with 2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256 It seems that function find_interface_full_addresses() in lib.runtime expects the ip address in "ip addr show" always be followed by "scope global..." etc. In my case: $ ip addr show lan0 | grep inet6 inet6 2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256 scope global dynamic mngtmpaddr This patch should fix the problem. At least it seems to work here. Samuli *** 99_fix_find_interface_addresses.patch Fix sed inside function find_interface_full_addresses() to also clean up "metric" information from ip address. Pretty much untested and certainly unaudited!!! Index: shorewall-5.2.8/shorewall/Perl/lib.runtime =================================================================== --- shorewall-5.2.8.orig/shorewall/Perl/lib.runtime 2023-01-19 14:31:25.000000000 +0200 +++ shorewall-5.2.8/shorewall/Perl/lib.runtime 2023-02-05 00:24:17.424000000 +0200 @@ -1140,7 +1140,7 @@ find_interface_full_addresses() # $1 = interface { - $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//' + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//;s/ metric [0-9]*//' } # -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (110, 'testing'), (100, 'unstable'), (95, 'experimental'), (80, 'stable') Architecture: arm64 (aarch64) Kernel: Linux 6.1.0-3-arm64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shorewall depends on: ii bc 1.07.1-3 ii init-system-helpers 1.65.2 ii iproute2 6.1.0-1 ii iptables 1.8.9-2 ii perl 5.36.0-7 ii shorewall-core 5.2.8-1 Versions of packages shorewall recommends: ii libnetfilter-cthelper0 1.0.1-1 Versions of packages shorewall suggests: ii make 4.3-4.1 pn shorewall-doc <none> -- Configuration Files: /etc/shorewall/conntrack [Errno 13] Permission denied: '/etc/shorewall/conntrack' /etc/shorewall/params [Errno 13] Permission denied: '/etc/shorewall/params' /etc/shorewall/shorewall.conf changed [not included] -- no debconf information