Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi Felix,
I am attaching two scripts that showing problems I reported.
there are script results below, that I got.
I am using BusyBox v1.15.3 from latest trunk code(r18874).
Thanks
ugur
/tmp # ./test_sh1.sh
WITHOUT_EVAL: $proto
WITH_EVAL: tcp
/tmp #
/tmp # ./test_sh2.sh
CONCATTED:
sh: can't execute ' ': No such file or directory
END
NOT CONCATTED:
END
Felix Fietkau wrote:
On 2009-12-08 1:36 PM, Ugur DOGRU wrote:
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
Are you sure that these two kinds of changes are still necessary? I
tried to reproduce your issues by writing small test cases with hush
here, but every test case I come up with seems to work fine.
I also tested parameter expansion such as ${var:+-p $var}, and I also
cannot get it to fail with hush.
If hush still has issues with some of these expansions, could you please
reduce it down to a small test case, so that I can verify it and maybe
fix it in hush directly instead of the scripts?
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I replaced that today without duplicating the hotplug script's code.
As to some of your other changes:
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
Why is this necessary?
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
test_sh1.sh
Description: Bourne shell script
test_sh2.sh
Description: Bourne shell script
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Felix Fietkau wrote:
On 2009-12-08 1:36 PM, Ugur DOGRU wrote:
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
Are you sure that these two kinds of changes are still necessary? I
tried to reproduce your issues by writing small test cases with hush
here, but every test case I come up with seems to work fine.
I also tested parameter expansion such as ${var:+-p $var}, and I also
cannot get it to fail with hush.
If hush still has issues with some of these expansions, could you please
reduce it down to a small test case, so that I can verify it and maybe
fix it in hush directly instead of the scripts?
Yes. I had some troubles about them. I can not get for now a console
prompt on my board
to test it. I think you can get fragments from uci_firewall.sh to test.
For line concatenation. I think below script will show problem by
running with/without line concat sign.
I will try if I will be able to get a shell prompt.
#!/bin/sh
src_port=100-200
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
[ $src_port_first -ne $src_port_last ] { \
src_port=$src_port_first:$src_port_last; }
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I replaced that today without duplicating the hotplug script's code.
As to some of your other changes:
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
Why is this necessary?
This is about eval problem.
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I am attaching patch file that solving above problems.
we need your comments for these issues.
regards
ugur
Felix Fietkau wrote:
Jo-Philipp Wich wrote:
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
/etc/functions.sh would be a better place, imho. I think /etc/profile is
not automatically sourced by shell scripts. This function doesn't
currently cover all scripts, it needs to handle things like
local var=value
as well without inserting extra = characters.
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff -ruN /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh
--- /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh 2009-12-01 22:31:10.0 +0200
+++ /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh 2009-12-08 14:01:13.0 +0200
@@ -46,9 +46,10 @@
[ $1 == loopback ] return
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
[ -n $exists ] return
- config_set $ZONE_LIST $1 1
+config_set $eval_ZONE_LIST $1 1
$IPTABLES -N zone_$1
$IPTABLES -N zone_$1_MSSFIX
@@ -280,12 +281,12 @@
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ $src_port_first -ne $src_port_last ] { \
+ [ $src_port_first -ne $src_port_last ] {
src_port=$src_port_first:$src_port_last; }
dest_port_first=${dest_port%-*}
dest_port_last=${dest_port#*-}
- [ $dest_port_first -ne $dest_port_last ] { \
+ [ $dest_port_first -ne $dest_port_last ] {
dest_port=$dest_port_first:$dest_port_last; }
ZONE=input
@@ -295,15 +296,13 @@
[ -n $src -a -n $dest ] ZONE=zone_${src}_forward
[ -n $dest ] TARGET=zone_${dest}_$target
add_rule() {
- $IPTABLES -A $ZONE \
- ${proto:+-p $proto} \
- ${icmp_type:+--icmp-type $icmp_type} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- ${dest_ip:+-d $dest_ip} \
- ${dest_port:+--dport $dest_port} \
- -j $TARGET
+PROTO=$(eval echo \${proto:+-p $proto}\)
+SRC_IP=$(eval echo \${src_ip:+-s $src_ip}\)
+SRC_PORT=$(eval echo \${src_port:+--sport $src_port}\)
+SRC_MAC=$(eval echo \${src_mac:+-m mac --mac-source $src_mac}\)
+DEST_IP=$(eval echo \${dest_ip:+-d $dest_ip}\)
+DEST_PORT=$(eval echo \${dest_port:+--dport $dest_port}\)
+$IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP $DEST_PORT -j $TARGET
}
[ $proto == tcpudp -o -z $proto ] {
proto=tcp
@@ -349,42 +348,40 @@
config_get dest_ip $1 dest_ip
config_get dest_port $1 dest_port
config_get proto $1 proto
- [ -z $src -o -z $dest_ip ] { \
+ [ -z $src -o -z $dest_ip ] {
echo redirect needs src and dest_ip; return ; }
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ $src_port_first -ne $src_port_last ] { \
+ [ $src_port_first -ne $src_port_last ] {
src_port=$src_port_first:$src_port_last; }
src_dport_first=${src_dport%-*}
src_dport_last=${src_dport#*-}
- [ $src_dport_first -ne $src_dport_last ] { \
+ [ $src_dport_first -ne $src_dport_last ] {
src_dport=$src_dport_first:$src_dport_last; }
dest_port2=${dest_port:-$src_dport}
dest_port_first=${dest_port2%-*}
dest_port_last=${dest_port2#*-}
- [ $dest_port_first -ne $dest_port_last ] { \
+ [ $dest_port_first -ne $dest_port_last ] {
dest_port2=$dest_port_first:$dest_port_last; }
add_rule() {
- $IPTABLES -A zone_${src}_prerouting -t nat \
- ${proto:+-p $proto} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_dport:+--dport $src_dport} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
-
- $IPTABLES -I zone_${src}_forward 1 \
- ${proto:+-p $proto} \
- -d $dest_ip \
-
[OpenWrt-Devel] [PATCH] firewall/iptables
This patch is for firewall/iptables. Most of it is to fix some hush
script problems.
Adds also some SPI rule to firewall script.
diff -ruN package/firewall/files/20-firewall
package-after/firewall/files/20-firewall
--- package/firewall/files/20-firewall2009-10-06 15:41:25.0
+0300
+++ package-after/firewall/files/20-firewall2009-10-20
13:51:40.0 +0300
@@ -4,8 +4,8 @@
[ $ifname == lo ] exit 0
load_zones() {
-local name
-local network
+ name=
+ network=
config_get name $1 name
config_get network $1 network
[ -z $network ] network=$name
@@ -20,17 +20,18 @@
[ ifup = $ACTION ] {
for z in $ZONE; do
-local loaded
+ loaded=
config_get loaded core loaded
-[ -n $loaded ] addif $INTERFACE $ifname $z
+[ -n $loaded ] [ -n $z ] addif $INTERFACE $ifname
$z
done
}
[ ifdown = $ACTION ] {
-local up
-config_get up $INTERFACE up
+up=
for z in $ZONE; do
-[ $up == 1 ] delif $INTERFACE $ifname $z
+ up=
+config_get up $z up
+[ $up == 1 ] [ -n $z ] delif $INTERFACE $ifname
$z
done
}
diff -ruN package/firewall/files/uci_firewall.sh
package-after/firewall/files/uci_firewall.sh
--- package/firewall/files/uci_firewall.sh2009-10-06
15:41:25.0 +0300
+++ package-after/firewall/files/uci_firewall.sh2009-10-20
14:37:52.0 +0300
@@ -24,7 +24,7 @@
NOTRACK_DISABLED=
find_item() {
-local item=$1; shift
+item=$1; shift
for i in $@; do
[ $i = $item ] return 0
done
@@ -42,13 +42,14 @@
}
create_zone() {
-local exists
-
+exists=
+
[ $1 == loopback ] return
-config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
[ -n $exists ] return
-config_set $ZONE_LIST $1 1
+config_set $eval_ZONE_LIST $1 1
$IPTABLES -N zone_$1
$IPTABLES -N zone_$1_MSSFIX
@@ -67,11 +68,12 @@
}
addif() {
-local network=$1
-local ifname=$2
-local zone=$3
+network=$1
+ifname=$2
+zone=$3
-local n_if n_zone
+n_if=
+n_zone=
config_get n_if core ${network}_ifname
config_get n_zone core ${network}_zone
[ -n $n_zone ] {
@@ -101,9 +103,9 @@
}
delif() {
-local network=$1
-local ifname=$2
-local zone=$3
+network=$1
+ifname=$2
+zone=$3
logger removing $network ($ifname) from firewall zone $zone
$IPTABLES -D input -i $ifname -j zone_$zone
@@ -123,8 +125,8 @@
}
load_synflood() {
-local rate=${1:-25}
-local burst=${2:-50}
+rate=${1:-25}
+burst=${2:-50}
echo Loading synflood protection
$IPTABLES -N syn_flood
$IPTABLES -A syn_flood -p tcp --syn -m limit --limit $rate/second
--limit-burst $burst -j RETURN
@@ -133,8 +135,8 @@
}
fw_set_chain_policy() {
-local chain=$1
-local target=$2
+chain=$1
+target=$2
[ $target == REJECT ] {
$IPTABLES -A $chain -j reject
target=DROP
@@ -220,9 +222,9 @@
}
fw_zone() {
-local name
-local network
-local masq
+name=
+network=
+masq=
config_get name $1 name
config_get network $1 network
@@ -238,18 +240,18 @@
}
fw_rule() {
-local src
-local src_ip
-local src_mac
-local src_port
-local src_mac
-local dest
-local dest_ip
-local dest_port
-local proto
-local icmp_type
-local target
-local ruleset
+src=
+src_ip=
+src_mac=
+src_port=
+src_mac=
+dest=
+dest_ip=
+dest_port=
+proto=
+icmp_type=
+target=
+ruleset=
config_get src $1 src
config_get src_ip $1 src_ip
@@ -265,14 +267,18 @@
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
-[ $src_port_first -ne $src_port_last ] { \
-src_port=$src_port_first:$src_port_last; }
+if [ -n $src_port_last ] ; then
+[ $src_port_first -ne $src_port_last ] {
+src_port=$src_port_first:$src_port_last; }
+fi
dest_port_first=${dest_port%-*}
dest_port_last=${dest_port#*-}
-[ $dest_port_first -ne $dest_port_last ] { \
-dest_port=$dest_port_first:$dest_port_last; }
-
+if [ -n $dest_port_last ] ; then
+[ $dest_port_first -ne $dest_port_last ] {
+dest_port=$dest_port_first:$dest_port_last; }
+fi
+
ZONE=input
TARGET=$target
[ -z $target ] target=DROP
@@ -280,15 +286,14 @@
[ -n $src -a -n $dest ] ZONE=zone_${src}_forward
[ -n $dest ] TARGET=zone_${dest}_$target
add_rule() {
-$IPTABLES -I $ZONE 1 \
-${proto:+-p $proto} \
-${icmp_type:+--icmp-type $icmp_type} \
-${src_ip:+-s $src_ip} \
-${src_port:+--sport $src_port} \
-${src_mac:+-m mac --mac-source $src_mac} \
-${dest_ip:+-d $dest_ip} \
-${dest_port:+--dport $dest_port} \
--j $TARGET
+PROTO=$(eval echo \${proto:+-p $proto}\)
+
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
hi Malte, I forgot to say that, this is for ubicom32 cpu that has no mmu, and other no-mmu cpu's, there is no memory concern. this will not be the end of hush scripts changes, others are on the way. eval may be fishy for ash, i don't know. May be making a global switch mechanism between ash/hush is the solution to isolate different behaviour of shells. regards ugur -Original Message- From: openwrt-devel-boun...@lists.openwrt.org on behalf of Malte S. Stretz Sent: Tue 20.10.2009 16:51 To: OpenWrt Development List Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Good idea. but, not sure that type supported by hush.
ugur
Jo-Philipp Wich wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
~ JoW
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN
GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs
=eQjM
-END PGP SIGNATURE-
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
