On 2023-02-06, at 23:47:37 +0200, Samuli Suonpää wrote:
> Package: shorewall
> Version: 5.2.8-1
> Severity: important
> Tags: ipv6 patch security upstream
> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
>
> Starting ipv6 firewall gives an error message. The firewall still
> starts, though.
>
> $ sudo shorewall6 stop
> Stopping Shorewall6....
> /var/lib/shorewall6/firewall: 776: [: 64: unexpected operator
> Preparing ip6tables-restore input...
> Running /sbin/ip6tables-restore --wait 60...
> done.
> $
>
> The problem is in /usr/share/shorewall/lib.runtime which compiles the script.
>
> The line that spills the error message is in funcion
> convert_to_anycast():
>
> while read address; do
> case $address in
> 2*|3*)
> vlsm=${address#*/}
> vlsm=${vlsm:=128}
>
> *** THIS ONE *** if [ $vlsm -le 120 ]; then
> #
> # Defines a viable subnet -- first get the subnet-router
> anycast address
> #
> host=$((128 - $vlsm))
>
> $address and therefore $vlsm should contain the ip address. However, in
> my case it ends up with
>
> 2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256
>
> It seems that function find_interface_full_addresses() in lib.runtime
> expects the ip address in "ip addr show" always be followed by "scope
> global..." etc.
>
> In my case:
>
> $ ip addr show lan0 | grep inet6
> inet6 2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256 scope global
> dynamic mngtmpaddr
>
> This patch should fix the problem. At least it seems to work here.
>
> Samuli
>
> *** 99_fix_find_interface_addresses.patch
> Fix sed inside function find_interface_full_addresses() to also clean up
> "metric" information from ip address.
>
> Pretty much untested and certainly unaudited!!!
> Index: shorewall-5.2.8/shorewall/Perl/lib.runtime
> ===================================================================
> --- shorewall-5.2.8.orig/shorewall/Perl/lib.runtime 2023-01-19
> 14:31:25.000000000 +0200
> +++ shorewall-5.2.8/shorewall/Perl/lib.runtime 2023-02-05
> 00:24:17.424000000 +0200
> @@ -1140,7 +1140,7 @@
>
> find_interface_full_addresses() # $1 = interface
> {
> - $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6
> //;s/ scope.*//;s/ peer [0-9a-f:]*//'
> + $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6
> //;s/ scope.*//;s/ peer [0-9a-f:]*//;s/ metric [0-9]*//'
> }
>
> #
>
Thanks for the report.
My inclination is just to use awk to pick out the second field. For
example,
$ ip -f inet6 addr show dev lo | awk '$1 == "inet6" { print $2 }'
::1/128
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers testing
> APT policy: (110, 'testing'), (100, 'unstable'), (95, 'experimental'), (80,
> 'stable')
> Architecture: arm64 (aarch64)
>
> Kernel: Linux 6.1.0-3-arm64 (SMP w/4 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
> TAINT_UNSIGNED_MODULE
> Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_IE:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages shorewall depends on:
> ii bc 1.07.1-3
> ii init-system-helpers 1.65.2
> ii iproute2 6.1.0-1
> ii iptables 1.8.9-2
> ii perl 5.36.0-7
> ii shorewall-core 5.2.8-1
>
> Versions of packages shorewall recommends:
> ii libnetfilter-cthelper0 1.0.1-1
>
> Versions of packages shorewall suggests:
> ii make 4.3-4.1
> pn shorewall-doc <none>
>
> -- Configuration Files:
> /etc/shorewall/conntrack [Errno 13] Permission denied:
> '/etc/shorewall/conntrack'
> /etc/shorewall/params [Errno 13] Permission denied: '/etc/shorewall/params'
> /etc/shorewall/shorewall.conf changed [not included]
>
> -- no debconf information
>
>
signature.asc
Description: PGP signature
