Discussion:
[Shorewall-users] Stricter "interfaces" check
Ob Noxious
2016-10-11 05:41:29 UTC
Permalink
Hi,

Just a small issue I've faced. I made a typo on the "interfaces" file, like
this :

bar ${IF_BAR} nets=(${NET_BAR}),nosmurfs,rpfilter,bridge
dmz ${IF_F00} nets=(${NET_FOO}),nosmurfs,rpfilter,bridge

notice: ${IF_FOO} is misspelled with 00 (zeros) instead of letter "O" which
leads to an empty entry.

"shorewall ck" didn't complain.

"shorewall reload" failed with a shell syntax error complaining about
unbalanced parenthesis. It was a "case ... esac" statement with the
following content :

case $1 in
lo)
progress_message3 "..."
eth0|dmz|nets=(1.2.3.0/24),nosmurfs,rpfilter,bridge)
....
esac

We see why the shell would complain :-) I finally figured out the (stupid)
typo.

I report it in case you'd want to add further checks to this (and/or
others) to avoid this kind of situations where the "check" command gets
fooled and the error passes unnoticed.

Note to self: "interfaces" is the last config file using the "legacy"
columned notation and I guess it's time to convert it to the new (and way
better IMHO) syntax :-)
--
ObNox
Tom Eastep
2016-10-11 15:49:08 UTC
Permalink
Post by Ob Noxious
Hi,
Just a small issue I've faced. I made a typo on the "interfaces"
bar ${IF_BAR} nets=(${NET_BAR}),nosmurfs,rpfilter,bridge dmz
${IF_F00} nets=(${NET_FOO}),nosmurfs,rpfilter,bridge
notice: ${IF_FOO} is misspelled with 00 (zeros) instead of letter
"O" which leads to an empty entry.
"shorewall ck" didn't complain.
"shorewall reload" failed with a shell syntax error complaining
about unbalanced parenthesis. It was a "case ... esac" statement
case $1 in lo) progress_message3 "..." eth0|dmz|nets=(1.2.3.0/24
<http://1.2.3.0/24>),nosmurfs,rpfilter,bridge) .... esac
We see why the shell would complain :-) I finally figured out the
(stupid) typo.
I report it in case you'd want to add further checks to this
(and/or others) to avoid this kind of situations where the "check"
command gets fooled and the error passes unnoticed.
Note to self: "interfaces" is the last config file using the
"legacy" columned notation and I guess it's time to convert it to
the new (and way better IMHO) syntax :-)
I believe that this particular class of user blunder is best guarded
against by setting IGNOREUNKNOWNVARIABLES=No in shorewall[6].conf,
although I can certainly add some gross-level editing of interface
names in the interfaces file.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Ob Noxious
2016-10-12 03:05:21 UTC
Permalink
On Tue, Oct 11, 2016 at 5:49 PM, Tom Eastep <***@shorewall.net> wrote:

I believe that this particular class of user blunder is best guarded
Post by Tom Eastep
against by setting IGNOREUNKNOWNVARIABLES=No in shorewall[6].conf,
Oh dear! Is there something you didn't thought about when designing
Shorewall? :-) It really gives the impression that every last corner of
possible feature enhancement has been evaluated :)
Post by Tom Eastep
although I can certainly add some gross-level editing of interface
names in the interfaces file.
Software development is a never ending job!

As I said, I converted my "interfaces" file to the new (and way better
IMHO) syntax and this time, no way for the typo to pass unnoticed! The
"check" caught it right away!

Thanks.
--
ObNox
Simon Matter
2016-10-12 09:27:40 UTC
Permalink
Post by Tom Eastep
I believe that this particular class of user blunder is best guarded
Post by Tom Eastep
against by setting IGNOREUNKNOWNVARIABLES=No in shorewall[6].conf,
Oh dear! Is there something you didn't thought about when designing
Shorewall? :-) It really gives the impression that every last corner of
possible feature enhancement has been evaluated :)
Tom deserves to win a nobel prize for all his nice work on shorewall!

Regards,
Simon
Tom Eastep
2016-10-13 02:13:08 UTC
Permalink
Post by Simon Matter
Post by Ob Noxious
On Tue, Oct 11, 2016 at 5:49 PM, Tom Eastep
I believe that this particular class of user blunder is best
guarded
Post by Tom Eastep
against by setting IGNOREUNKNOWNVARIABLES=No in
shorewall[6].conf,
Oh dear! Is there something you didn't thought about when
designing Shorewall? :-) It really gives the impression that
every last corner of possible feature enhancement has been
evaluated :)
Tom deserves to win a nobel prize for all his nice work on
shorewall!
Not at all. I just listen to users' reports and implement changes that
address their concerns.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Ob Noxious
2016-10-14 02:12:37 UTC
Permalink
Post by Simon Matter
Tom deserves to win a nobel prize for all his nice work on
Post by Simon Matter
shorewall!
Not at all. I just listen to users' reports and implement changes that
address their concerns.
I already said it some months ago but it doesn't hurt to repeat a bit!
I*WISH* that 99.9999% of the proprietary software companies, I had to deal
with in my career, providing a so-called "professional support" had at the
very _LEAST_ 5% of the level of expertise and support Tom gives us here!

Long story short: They don't provide real support besides the usual
"captain obvious" line ("did you turn on your computer?" <sigh>), they
NEVER EVER listen to suggestions ("most users are happy with the current
product"), and they tell you b*llshit like "we'll look at your suggestion
shortly" which really translates to "move suggestion(s) to /dev/null".

If this "professional support" really existed in some (acceptable) way, I
would have complained less and be way happier now. Thank you Tom and all
people involved in the Shorewall project! The same applies to some other
great software too. Guess what? They're ALL Free Open Source Software.
--
ObNox
Loading...