Modify

Opened 10 years ago

Closed 10 years ago

#2730 closed defect (worksforme)

Bad comments in /etc/config/firewall break iptables

Reported by: Nalin Owned by: developers
Priority: normal Milestone:
Component: base system Version:
Keywords: firewall iptables comment Cc:

Description

This bug was a pain in my side for a long time. I could never figure out why things weren't working correctly. After getting some help from somebody who knew a lot about iptables, I was finally able to pinpoint my problem.

The problem comes to pass in the following files:
/etc/config/firewall
/etc/init.d/firewall
/usr/lib/firewall.awk

See, /etc/init.d/firewall calls awk which uses firewall.awk to tokenize a line in /etc/config/firewall by colons (:). The third tokenized argument is passed verbatim into the iptables command it assembles. The bug manifests itself when clueless users (like yours truly) think /etc/config/firewall is a normal parsed file and adds a comment to the end of the line. Take, for instance, this example:

forward:dport=3690:192.168.1.100		# svn

That will result in the following parsed lines:

iptables -t nat -A prerouting_wan -p udp -m multiport --dports 3690 -j DNAT --to 192.168.1.100		# svn
iptables        -A forwarding_wan    -p udp -d 192.168.1.100		# svn -j ACCEPT

Because of that, the very necessary -j ACCEPT is never handled and the forward won't work. It is in my opinion that either the script should look for end of line comments or that something should be placed in /etc/config/firewall to warn people that putting comments at the end of a line will break the script.

Attachments (0)

Change History (1)

comment:1 Changed 10 years ago by blogic

  • Resolution set to worksforme
  • Status changed from new to closed

nothing to fix

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.