Package: netscript-2.4
Version: 5.2.11
Severity: serious
Tags: patch
Missing quotes when setting up bridge resulted in vlaned eth0 interface being
on bridge brg0 with its vlan1 vlan interface. vlan2 was connected to internet.
vlan1 traffic was slow, and connectivity came and went. This happened when
IPv6 was explicitly disabled for eth0, and etho was not configured onto a
bridge. It is a corner case configuration with a serious result iin network
not functioning, and in the case of this system involved, leaking internal
traffic to the Internet. Network configuration was not such that a system on
Internet could connect internally.
Quotes put on 3rd and 4th arguments to brg_iface <interface> up in if.conf
fixes this siuation.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages netscript-2.4 depends on:
ii bash 4.2-2
ii bridge-utils 1.5-4
ii iproute 20120521-3
ii iptables 1.4.14-2
ii isc-dhcp-client [dhcp3-client] 4.2.2.dfsg.1-5
ii netbase 5.0
Versions of packages netscript-2.4 recommends:
ii quagga 0.99.21-3
Versions of packages netscript-2.4 suggests:
ii dnsmasq 2.62-3
ii quagga 0.99.21-3
pn resolvconf <none>
pn whereami <none>
pn wicd <none>
pn wpasupplicant <none>
-- Configuration Files:
/etc/netscript/if.conf changed:
SED_IFSTR='s/\([A-Za-z]*\)[0-9]*$/\1/'
SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/'
SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/'
SED_IPV6ADDR="sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e
's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'"
SED_IPV4ADDR="sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e
's/^0\+\([0-9a-fA-F]\+\)/\1/'"
if_addr_start () {
local IPADDR2 ADDR ADDR2
local ADDRS
local ANS
local OIFS
local IFACE=$1
# Glue stuff
if [ -n "$MASKLEN" ]; then
IPADDR="${IPADDR}/${MASKLEN}"
fi
if [ -n "$PTPADDR" ]; then
IPADDR="${IPADDR}_peer_${PTPADDR}"
fi
if [ -n "$BROADCAST" ]; then
IPADDR="${IPADDR}_brd_${BROADCAST}"
fi
if [ -n "$IP_EXTRA_ADDRS" ]; then
IPADDR="$IPADDR $IP_EXTRA_ADDRS"
fi
# Take care of leading zeroes in supplied addresses
for ADDR in $IPADDR; do
if echo $ADDR | grep -q ':'; then
#IPv6
ADDR2=`echo $ADDR | eval $SED_IPV6ADDR`
IPADDR2="$IPADDR2 $ADDR2"
else
#IPv4
ADDR2=`echo $ADDR | eval $SED_IPV4ADDR`
IPADDR2="$IPADDR2 $ADDR2"
fi
done
IPADDR="$IPADDR2"
# Set up link MTU etc
ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU
# Set up IPv6 Interface sysctl here before interface goes up
ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS
ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA
ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO
ifv6_setproc $1 accept_ra_rt_info_max_plen
$IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN
ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE
ifv6_setproc $1 forwarding $IPV6_FWDING
ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS
ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY
# Bring the interface up
ip link set dev $1 up
# This one has to be set after interface up
ifv6_setproc $1 mtu $IPV6_MTU
# Set up the addresses on the interface
ADDRS=`ip addr show dev $IFACE | grep '^.*inet[ 46]' \
| sed -e "$SED_IPV4STR" | sed -e "$SED_IPV6STR"`
for ADDR in $IPADDR; do
for ADDR2 in $ADDRS; do
ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'`
ANS=${ADDR#$ADDR2}
if [ "$ANS" != "$ADDR" ]; then
continue 2
fi
done
OIFS=$IFS
IFS="${IFS}_"
ip addr add $ADDR dev $IFACE
IFS=$OIFS
done
# Strip out addresses that should not be there
for ADDR in $ADDRS; do
# Don't delete IPv6 link local addresses
if echo $ADDR | grep -q -i '^fe[89ab]'; then
continue
fi
ANS=`echo $IPADDR | grep $ADDR`
if [ -z "$ANS" ]; then
ip addr del $ADDR dev $IFACE
fi
done
return 0
}
if_addr_stop () {
local FILE
qt ip link set $1 down
qt ip addr flush dev $1
}
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval MASKLEN=\${"$1"_MASKLEN:-""}
eval BROADCAST=\${"$1"_BROADCAST:-""}
eval PTPADDR=\${"$1"_PTPADDR:-""}
eval IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval MTU=\${"$1"_MTU:-""}
eval MULTICAST=\${"$1"_MULTICAST:-""}
eval HB_TICKLE=\${"$1"_HB_TICKLE:-""}
eval BRIDGE=\${"$1"_BRIDGE:-""}
eval RESOLVCONF=\${"$1"_RESOLVCONF:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local IP_SEND_REDIRECTS=\${"$1"_IP_SEND_REDIRECTS:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
eval IPV6_ACCEPT_REDIRECTS=\${"$1"_IPV6_ACCEPT_REDIRECTS:-""}
eval IPV6_ACCEPT_RA=\${"$1"_IPV6_ACCEPT_RA:-""}
eval IPV6_ACCEPT_RA_PINFO=\${"$1"_IPV6_ACCEPT_RA_PINFO:-""}
eval
IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=\${"$1"_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN:-""}
eval IPV6_DISABLE=\${"$1"_IPV6_DISABLE:-""}
eval IPV6_FWDING=\${"$1"_IPV6_FWDING:-""}
eval IPV6_PRIVACY=\${"$1"_IPV6_PRIVACY:-""}
eval IPV6_ROUTER_SOLICITATIONS=\${"$1"_IPV6_ROUTER_SOLICITATIONS:-""}
eval IPV6_MTU=\${"$1"_IPV6_MTU:-""}
if [ -n "DEFAULT_GW" -a -z "$IPV4_DEFAULT_GW" ]; then
IPV4_DEFAULT_GW="$DEFAULT_GW"
IPV4_DEFAULT_GWDEV="$1"
fi
unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
if [ -n "$MTU" ] ; then
IFCFG_MTU="mtu $MTU"
fi
if [ -n "$MULTICAST" ] ; then
case $MULTICAST in
No|no|NO|off|Off|OFF)
IFCFG_MULTICAST="multicast off"
;;
Yes|YES|yes|on|On|ON)
IFCFG_MULTICAST="multicast on"
;;
*)
unset IFCFG_MUTLICAST
;;
esac
fi
local IFTYPE=`echo $1 | sed -e $SED_IFSTR`
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
# IPv4
ifv4_setproc default rp_filter $DEF_IP_SPOOF
ifv4_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
ifv4_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
if qt type ${1}_start ; then
# execute user supplied individual interface start up
${1}_start $1
elif qt type ${IFTYPE}_start ; then
# execute user supplied typed interface start up
${IFTYPE}_start $1
else
# default interface startup
brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE"
# Start interface
if_addr_start $1
fi
# Do universal interface config items here
# QoS setup
ip_QoSclear $1
ip_QoS $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Default route support
ipv4_default_route $1
ipv6_default_route $1
# Set up routes and ARP etc
if qt type ${1}_network ; then
${1}_network $1
fi
# Resolvconf support
if [ -n "$RESOLVCONF" ]; then
if_resolvconf_up $1 "$RESOLVCONF"
fi
# Interface sysctl stuff here
# IPv4
# Spoof protection
ifv4_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
ifv4_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
ifv4_setproc $1 shared_media $IP_SHARED_MEDIA
# Sending of Redirects
ifv4_setproc $1 send_redirects $IP_SEND_REDIRECTS
# Proxy ARP support
ifv4_setproc $1 proxy_arp $PROXY_ARP
# Emit required upstart event - this can be adjusted
iface_upstart_emit 'net-device-up' "IFACE=${1}" 'LOGICAL=${1}' \
'ADDRFAM=inet' 'METHOD=static'
unset IPADDR MASKLEN BROADCAST PTPADDR IP_EXTRA_ADDRS MTU MULTICAST
unset BROADCAST RESOLVCONF
unset IPV6_ACCEPT_REDIRECTS IPV6_ACCEPT_RA IPV6_FWDING IPV6_MTU
unset IPV6_ROUTER_SOLICITATIONS IPV6_PRIVACY IPV6_ACCEPT_RA_PINFO
unset IPV6_DISABLE
unset IFCFG_BROADCAST IFCFG_MULTICAST IFCFG_MTU
return 0
}
if_down () {
local IFTYPE=`echo $1 | sed -e $SED_IFSTR`
# Clean up any resolvconf stuff
if_resolvconf_down $1
# Do Dee global bridge stuff
brg_global
if qt type ${1}_stop ; then
# execute user supplied individual interface shutdown
${1}_stop $1
elif qt type ${IFTYPE}_stop ; then
# execute user supplied typed interface shutdown
${IFTYPE}_stop $1
else
# default action
brg_iface $1 down $IPV6_DISABLE
if_addr_stop $1
fi
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
# Clean up IPv6 stuff
if [ -d ${IPV6_PROC}/conf/${1} ]; then
for FILE in accept_redirects accept_ra forwarding \
router_solicitations use_tempaddr; do
echo `cat $IPV6_PROC/conf/default/$FILE` \
> $IPV6_PROC/conf/$1/$FILE
done
fi
# Emit required upstart event - this can be adjusted
iface_upstart_emit 'net-device-down' "IFACE=${1}" "LOGICAL=${1}" \
'ADDRFAM=inet' 'METHOD=static'
true
} #END if_down
if_lo_up () {
# Bring up interface lo
case "$IPV4_DISABLE" in
YES|Yes|yes)
;;
*)
qt ip addr add 127.0.0.1/8 broadcast 127.255.255.255 dev lo
;;
esac
ip link set lo up \
&& iface_upstart_emit 'net-device-up' 'IFACE=lo' 'LOGICAL=lo' \
'ADDRFAM=inet' 'METHOD=static'
}
if_resolvconf_up () {
if [ $# != 2 -a $# != 3 ]; then
echo " Usage: `basename $0`: fn if_resolvconf_up <if-name>
<search-path> <ns1-ip>" 1>&2
echo " `basename $0`: fn if_resolvconf_up <if-name>
<resolvconf-stdin>" 1>&2
return 1;
fi
! qt type resolvconf && return 1
if [ $# = 3 ]; then
echo -ne "search ${2}\nnameserver ${3}\n" | resolvconf -a $1
else
echo -ne "$2" | resolvconf -a $1
fi
}
if_resolvconf_down () {
if [ $# != 1 ]; then
echo " Usage: `basename $0`: fn if_resolvconf_down <if-name>"
1>&2
return 1;
fi
! qt type resolvconf && return 1
# Go and do it...
resolvconf -d $1
}
/etc/netscript/ipfilter-defs/README [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/README'
/etc/netscript/ipfilter-defs/dnat-defs [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/dnat-defs'
/etc/netscript/ipfilter-defs/example.def [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/example.def'
/etc/netscript/ipfilter-defs/example2.def [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/example2.def'
/etc/netscript/ipfilter-defs/local.def [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/local.def'
/etc/netscript/ipfilter-defs/masq-defs [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/masq-defs'
/etc/netscript/ipfilter-defs/network-defs [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/network-defs'
/etc/netscript/ipfilter-defs/prototypes-defs [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/prototypes-defs'
/etc/netscript/ipfilter-defs/prototypes.sh [Errno 13] Permission denied:
u'/etc/netscript/ipfilter-defs/prototypes.sh'
/etc/netscript/network.conf changed:
VERBOSE=YES
IPV6_MODULE=Yes
IPV6_DISABLE=NO
IPV4_DISABLE=NO
IPV4_FWDING_KERNEL=NO
IPV6_FWDING_KERNEL=NO
IPV4_DEFAULT_GW=192.168.110.254
IPV4_DEFAULT_GWDEV=brg0
IP_FILTER_KERNEL=NONE
NET_GLOBAL_SYSCTL="
ipv4/ip_nonlocal_bind NO
ipv4/ip_dynaddr NO
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES
ipv4/tcp_ecn NO
"
BACKUP_LEVELS=3
IF_AUTO="brg0 bdmz0 binet0 bvm0 eth0 vlan1 vlan2"
IF_DYNAMIC="tun0 vlan1 vlan2"
ALLIF_ACCEPT_REDIRECTS=NO
IF_DEFAULT_IPV6_DISABLE=YES
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=1
BRG_LIST="bdmz0 bvm0 binet0"
brg0_IPADDR="192.168.110.1/24_brd_192.168.110.255
fd14:828:ba69:1:21c:f0ff:fefa:f3c0/64 2001:470:f012:1:21c:f0ff:fefa:f3c0/64"
eth0_IP_SPOOF=NO
eth0_IP_KRNL_LOGMARTIANS=NO
eth0_IPV6_DISABLE=YES
bvm0_IPV6_DISABLE=YES
bdmz0_IPV6_DISABLE=YES
binet0_IPV6_DISABLE=YES
brg0_IPV6_DISABLE=NO
brg0_IPV6_ACCEPT_RA=YES
brg0_IPV6_ACCEPT_RA_PINFO=NO
brg0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
eth0_IF_CHAIN_AUTO="vlan1 vlan2"
vlan1_BRIDGE=brg0
vlan2_BRIDGE=binet0
ipsec0_IP_SPOOF=NO
ppp1_IPADDR=192.168.2.1
chdlc0_IPADDR=192.168.10.1_peer_192.168.10.2
tun_start () {
local PIDFILE="/var/run/openvpn.${1}.pid"
# don't run openvpn if link already exists...
[ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0
openvpn --config /etc/openvpn/$1.netscript \
--writepid $PIDFILE \
--cd /etc/openvpn \
--daemon openvpn.$1
}
tun_stop () {
local PIDFILE="/var/run/openvpn.${1}.pid"
[ ! -f $PIDFILE ] && return 0
qt kill `cat $PIDFILE`
[ -f $PIDFILE ] && rm $PIDFILE
sleep 5 # Wait for openvpn to die
}
tap_start () {
tun_start "$@"
}
tap_stop () {
tun_stop "$@"
}
vlan1_start () {
ip link add link eth0 name $1 type vlan id 1
# default interface startup
brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE"
# Start interface
if_addr_start $1
}
vlan2_start () {
ip link add link eth0 name $1 type vlan id 2
# default interface startup
brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE"
# Start interface
if_addr_start $1
}
vlan_stop () {
# default action
brg_iface $1 down $IPV6_DISABLE
if_addr_stop $1
# Take out vlan device
ip link delete $1
}
wlan0_start () {
# don't run pppd if link already exists...
#[ -f "/var/run/hostapd-${1}.pid" ] && kill -0 `cat
"/var/run/hostapd-${1}.pid"` && return 0
#ip link set dev $1 up
#/usr/sbin/hostapd -B -P "/var/run/hostapd-${1}.pid"
/etc/hostapd/hostapd.conf
brg_iface $1 up $BRIDGE
}
wlan0_stop () {
#[ ! -f "/var/run/hostapd-${1}.pid" ] && return 0
#qt kill `cat "/var/run/hostapd-${1}.pid"`
#ip link set dev $1 down
brg_iface $1 down
}
MRK_CRIT=0x1 # Critical traffic, routing, DNS
MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp
${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh"
IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain
${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0"
IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0"
LOG_LEVEL=warning
LOG_MAXRATE=3 # messages per second
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT
MARTIAN_BYPASS="192.168.110.0/24"
MARTIAN_NETS="" # List of additional martian/invalid
# IP source addresses - network/mask
IPV6_MARTIAN_NETS=""
SNMP_MANAGER_IPS="192.168.1.1"
SNMP_DEST_BLOCK=0/0
LINK_NET="192.168.1.0/30"
IP_BLOCKS="10.0.100.2 10.0.0.0/8"
SMB_BLOCK=YES
BLOCKED_INSRC="all_10.200.1.1"
LOGGED_BLOCKED_INSRC="all_10.200.1.2"
BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain"
LOGGED_BLOCKED_INDEST="tcp_192.168.45.6_smtp"
DNS_IPS="202.36.174.1"
BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain"
LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp"
-- debconf-show failed
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
