Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi Felix, I am attaching two scripts that showing problems I reported. there are script results below, that I got. I am using BusyBox v1.15.3 from latest trunk code(r18874). Thanks ugur /tmp # ./test_sh1.sh WITHOUT_EVAL: $proto WITH_EVAL: tcp /tmp # /tmp # ./test_sh2.sh CONCATTED: sh: can't execute ' ': No such file or directory END NOT CONCATTED: END Felix Fietkau wrote: On 2009-12-08 1:36 PM, Ugur DOGRU wrote: Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ Are you sure that these two kinds of changes are still necessary? I tried to reproduce your issues by writing small test cases with hush here, but every test case I come up with seems to work fine. I also tested parameter expansion such as ${var:+-p $var}, and I also cannot get it to fail with hush. If hush still has issues with some of these expansions, could you please reduce it down to a small test case, so that I can verify it and maybe fix it in hush directly instead of the scripts? 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I replaced that today without duplicating the hotplug script's code. As to some of your other changes: - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 Why is this necessary? - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel test_sh1.sh Description: Bourne shell script test_sh2.sh Description: Bourne shell script ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Felix Fietkau wrote: On 2009-12-08 1:36 PM, Ugur DOGRU wrote: Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ Are you sure that these two kinds of changes are still necessary? I tried to reproduce your issues by writing small test cases with hush here, but every test case I come up with seems to work fine. I also tested parameter expansion such as ${var:+-p $var}, and I also cannot get it to fail with hush. If hush still has issues with some of these expansions, could you please reduce it down to a small test case, so that I can verify it and maybe fix it in hush directly instead of the scripts? Yes. I had some troubles about them. I can not get for now a console prompt on my board to test it. I think you can get fragments from uci_firewall.sh to test. For line concatenation. I think below script will show problem by running with/without line concat sign. I will try if I will be able to get a shell prompt. #!/bin/sh src_port=100-200 src_port_first=${src_port%-*} src_port_last=${src_port#*-} [ $src_port_first -ne $src_port_last ] { \ src_port=$src_port_first:$src_port_last; } 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I replaced that today without duplicating the hotplug script's code. As to some of your other changes: - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 Why is this necessary? This is about eval problem. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I am attaching patch file that solving above problems. we need your comments for these issues. regards ugur Felix Fietkau wrote: Jo-Philipp Wich wrote: The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. /etc/functions.sh would be a better place, imho. I think /etc/profile is not automatically sourced by shell scripts. This function doesn't currently cover all scripts, it needs to handle things like local var=value as well without inserting extra = characters. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel diff -ruN /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh --- /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh 2009-12-01 22:31:10.0 +0200 +++ /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh 2009-12-08 14:01:13.0 +0200 @@ -46,9 +46,10 @@ [ $1 == loopback ] return - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 [ -n $exists ] return - config_set $ZONE_LIST $1 1 +config_set $eval_ZONE_LIST $1 1 $IPTABLES -N zone_$1 $IPTABLES -N zone_$1_MSSFIX @@ -280,12 +281,12 @@ src_port_first=${src_port%-*} src_port_last=${src_port#*-} - [ $src_port_first -ne $src_port_last ] { \ + [ $src_port_first -ne $src_port_last ] { src_port=$src_port_first:$src_port_last; } dest_port_first=${dest_port%-*} dest_port_last=${dest_port#*-} - [ $dest_port_first -ne $dest_port_last ] { \ + [ $dest_port_first -ne $dest_port_last ] { dest_port=$dest_port_first:$dest_port_last; } ZONE=input @@ -295,15 +296,13 @@ [ -n $src -a -n $dest ] ZONE=zone_${src}_forward [ -n $dest ] TARGET=zone_${dest}_$target add_rule() { - $IPTABLES -A $ZONE \ - ${proto:+-p $proto} \ - ${icmp_type:+--icmp-type $icmp_type} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ - ${dest_port:+--dport $dest_port} \ - -j $TARGET +PROTO=$(eval echo \${proto:+-p $proto}\) +SRC_IP=$(eval echo \${src_ip:+-s $src_ip}\) +SRC_PORT=$(eval echo \${src_port:+--sport $src_port}\) +SRC_MAC=$(eval echo \${src_mac:+-m mac --mac-source $src_mac}\) +DEST_IP=$(eval echo \${dest_ip:+-d $dest_ip}\) +DEST_PORT=$(eval echo \${dest_port:+--dport $dest_port}\) +$IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP $DEST_PORT -j $TARGET } [ $proto == tcpudp -o -z $proto ] { proto=tcp @@ -349,42 +348,40 @@ config_get dest_ip $1 dest_ip config_get dest_port $1 dest_port config_get proto $1 proto - [ -z $src -o -z $dest_ip ] { \ + [ -z $src -o -z $dest_ip ] { echo redirect needs src and dest_ip; return ; } src_port_first=${src_port%-*} src_port_last=${src_port#*-} - [ $src_port_first -ne $src_port_last ] { \ + [ $src_port_first -ne $src_port_last ] { src_port=$src_port_first:$src_port_last; } src_dport_first=${src_dport%-*} src_dport_last=${src_dport#*-} - [ $src_dport_first -ne $src_dport_last ] { \ + [ $src_dport_first -ne $src_dport_last ] { src_dport=$src_dport_first:$src_dport_last; } dest_port2=${dest_port:-$src_dport} dest_port_first=${dest_port2%-*} dest_port_last=${dest_port2#*-} - [ $dest_port_first -ne $dest_port_last ] { \ + [ $dest_port_first -ne $dest_port_last ] { dest_port2=$dest_port_first:$dest_port_last; } add_rule() { - $IPTABLES -A zone_${src}_prerouting -t nat \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_dport:+--dport $src_dport} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} - - $IPTABLES -I zone_${src}_forward 1 \ - ${proto:+-p $proto} \ - -d $dest_ip \ -
[OpenWrt-Devel] [PATCH] firewall/iptables
This patch is for firewall/iptables. Most of it is to fix some hush script problems. Adds also some SPI rule to firewall script. diff -ruN package/firewall/files/20-firewall package-after/firewall/files/20-firewall --- package/firewall/files/20-firewall2009-10-06 15:41:25.0 +0300 +++ package-after/firewall/files/20-firewall2009-10-20 13:51:40.0 +0300 @@ -4,8 +4,8 @@ [ $ifname == lo ] exit 0 load_zones() { -local name -local network + name= + network= config_get name $1 name config_get network $1 network [ -z $network ] network=$name @@ -20,17 +20,18 @@ [ ifup = $ACTION ] { for z in $ZONE; do -local loaded + loaded= config_get loaded core loaded -[ -n $loaded ] addif $INTERFACE $ifname $z +[ -n $loaded ] [ -n $z ] addif $INTERFACE $ifname $z done } [ ifdown = $ACTION ] { -local up -config_get up $INTERFACE up +up= for z in $ZONE; do -[ $up == 1 ] delif $INTERFACE $ifname $z + up= +config_get up $z up +[ $up == 1 ] [ -n $z ] delif $INTERFACE $ifname $z done } diff -ruN package/firewall/files/uci_firewall.sh package-after/firewall/files/uci_firewall.sh --- package/firewall/files/uci_firewall.sh2009-10-06 15:41:25.0 +0300 +++ package-after/firewall/files/uci_firewall.sh2009-10-20 14:37:52.0 +0300 @@ -24,7 +24,7 @@ NOTRACK_DISABLED= find_item() { -local item=$1; shift +item=$1; shift for i in $@; do [ $i = $item ] return 0 done @@ -42,13 +42,14 @@ } create_zone() { -local exists - +exists= + [ $1 == loopback ] return -config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 [ -n $exists ] return -config_set $ZONE_LIST $1 1 +config_set $eval_ZONE_LIST $1 1 $IPTABLES -N zone_$1 $IPTABLES -N zone_$1_MSSFIX @@ -67,11 +68,12 @@ } addif() { -local network=$1 -local ifname=$2 -local zone=$3 +network=$1 +ifname=$2 +zone=$3 -local n_if n_zone +n_if= +n_zone= config_get n_if core ${network}_ifname config_get n_zone core ${network}_zone [ -n $n_zone ] { @@ -101,9 +103,9 @@ } delif() { -local network=$1 -local ifname=$2 -local zone=$3 +network=$1 +ifname=$2 +zone=$3 logger removing $network ($ifname) from firewall zone $zone $IPTABLES -D input -i $ifname -j zone_$zone @@ -123,8 +125,8 @@ } load_synflood() { -local rate=${1:-25} -local burst=${2:-50} +rate=${1:-25} +burst=${2:-50} echo Loading synflood protection $IPTABLES -N syn_flood $IPTABLES -A syn_flood -p tcp --syn -m limit --limit $rate/second --limit-burst $burst -j RETURN @@ -133,8 +135,8 @@ } fw_set_chain_policy() { -local chain=$1 -local target=$2 +chain=$1 +target=$2 [ $target == REJECT ] { $IPTABLES -A $chain -j reject target=DROP @@ -220,9 +222,9 @@ } fw_zone() { -local name -local network -local masq +name= +network= +masq= config_get name $1 name config_get network $1 network @@ -238,18 +240,18 @@ } fw_rule() { -local src -local src_ip -local src_mac -local src_port -local src_mac -local dest -local dest_ip -local dest_port -local proto -local icmp_type -local target -local ruleset +src= +src_ip= +src_mac= +src_port= +src_mac= +dest= +dest_ip= +dest_port= +proto= +icmp_type= +target= +ruleset= config_get src $1 src config_get src_ip $1 src_ip @@ -265,14 +267,18 @@ src_port_first=${src_port%-*} src_port_last=${src_port#*-} -[ $src_port_first -ne $src_port_last ] { \ -src_port=$src_port_first:$src_port_last; } +if [ -n $src_port_last ] ; then +[ $src_port_first -ne $src_port_last ] { +src_port=$src_port_first:$src_port_last; } +fi dest_port_first=${dest_port%-*} dest_port_last=${dest_port#*-} -[ $dest_port_first -ne $dest_port_last ] { \ -dest_port=$dest_port_first:$dest_port_last; } - +if [ -n $dest_port_last ] ; then +[ $dest_port_first -ne $dest_port_last ] { +dest_port=$dest_port_first:$dest_port_last; } +fi + ZONE=input TARGET=$target [ -z $target ] target=DROP @@ -280,15 +286,14 @@ [ -n $src -a -n $dest ] ZONE=zone_${src}_forward [ -n $dest ] TARGET=zone_${dest}_$target add_rule() { -$IPTABLES -I $ZONE 1 \ -${proto:+-p $proto} \ -${icmp_type:+--icmp-type $icmp_type} \ -${src_ip:+-s $src_ip} \ -${src_port:+--sport $src_port} \ -${src_mac:+-m mac --mac-source $src_mac} \ -${dest_ip:+-d $dest_ip} \ -${dest_port:+--dport $dest_port} \ --j $TARGET +PROTO=$(eval echo \${proto:+-p $proto}\) +
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
hi Malte, I forgot to say that, this is for ubicom32 cpu that has no mmu, and other no-mmu cpu's, there is no memory concern. this will not be the end of hush scripts changes, others are on the way. eval may be fishy for ash, i don't know. May be making a global switch mechanism between ash/hush is the solution to isolate different behaviour of shells. regards ugur -Original Message- From: openwrt-devel-boun...@lists.openwrt.org on behalf of Malte S. Stretz Sent: Tue 20.10.2009 16:51 To: OpenWrt Development List Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Good idea. but, not sure that type supported by hush. ugur Jo-Philipp Wich wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs =eQjM -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel