[Bug 798525] New: security:netfilter/shorewall: Bug in shorewall.service and shorewall6.service
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c0 Summary: security:netfilter/shorewall: Bug in shorewall.service and shorewall6.service Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: 3rd party software AssignedTo: toganm@dinamizm.com ReportedBy: bruno@ioda-net.ch QAContact: opensuse-communityscreening@forge.provo.novell.com Found By: --- Blocker: ---
From several release now the 2 generated .service for systemd are wrong they contain both two time /usr
ExecStart=/usr/usr/sbin/shorewall $OPTIONS start ExecStop=/usr/usr/sbin/shorewall $OPTIONS stop should be ExecStart=/usr/sbin/shorewall $OPTIONS start ExecStop=/usr/sbin/shorewall $OPTIONS stop Thanks to have a look here. I put this as major, due to the fact that the service is restarted, failed silently, could let iptables in ACCEPT/OPEN state ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c1 --- Comment #1 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-15 13:19:52 UTC --- (In reply to comment #0)
From several release now the 2 generated .service for systemd are wrong they contain both two time /usr
Am I correct to understand that this is coming from the security:netfilter repo and the os is 12.2 Togan -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c2 --- Comment #2 from Bruno Friedmann <bruno@ioda-net.ch> 2013-01-15 14:37:06 UTC --- Absolutely, but this happen to 12.1 too -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c3 Togan Muftuoglu <toganm@dinamizm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #3 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-15 14:48:11 UTC --- Then it is probably in factory also :( Will have a look -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c4 Togan Muftuoglu <toganm@dinamizm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #4 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-15 17:04:02 UTC --- Fixed (I hope) the exec path problem. Can you confirm it is working for you Thanks Togan -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c5 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|bruno@ioda-net.ch | --- Comment #5 from Bruno Friedmann <bruno@ioda-net.ch> 2013-01-15 22:31:59 UTC --- okay Togan the new build in security:netfilter is okay for the .service files. But there's still two strange things. Once the package is updated I end up with a iptables ip6tables empty. a systemctl restart shorewall.service and systemctl restart shorewall6.service restore the rules ... Could you re-check what you have in %post (sorry I'm lacking time to dig myself in it). The last small point is the version for 12.2 (shorewall-core) doesn't want to update due to a missing perl = 5.14.2 12.2 has 5.16 Certainly a details in the .spec. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c6 --- Comment #6 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-15 23:26:36 UTC --- This is weird as my patch fixes the service files related sed command in the shorewall installer. There was no code change in %post section or to the perl version requirement for shorewall-core. I will look into those Thanks for testing and reporting Togan -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c7 Togan Muftuoglu <toganm@dinamizm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #7 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-15 23:43:04 UTC --- Can you attach the shorewallrc installed from the shorewall-core package Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c8 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|bruno@ioda-net.ch | --- Comment #8 from Bruno Friedmann <bruno@ioda-net.ch> 2013-01-16 06:48:14 UTC --- (In reply to comment #6)
This is weird as my patch fixes the service files related sed command in the shorewall installer. There was no code change in %post section or to the perl version requirement for shorewall-core.
I will look into those
Thanks for testing and reporting
Togan
In fact those are not related to your last patch. The trouble exist with 4.5.11 but if I remember correctly 4.5.10 was not impacted by that require. here the last zypp history extract 2013-01-15 23:25:44|install|shorewall-core|4.5.11.2-84.1|noarch|root@a-wing|security-netfilter|7e07029799337583c40db4ba512572dc0699fcc053335efa652ddf12e2cea761 2013-01-15 23:25:45|install|shorewall-docs|4.5.11.2-84.1|noarch|root@a-wing|security-netfilter|e4f96f12f4f673330919020152781829e2b59538d78542f45da10f22ea9294fa # 2013-01-15 23:25:53 shorewall-4.5.11.2-84.1.noarch.rpm installed ok # Additional rpm output: # Usage: /etc/init.d/shorewall start|stop|reload|restart|status # 2013-01-15 23:25:53|install|shorewall|4.5.11.2-84.1|noarch|root@a-wing|security-netfilter|b848e9217cdc322e5b3368b77473830394649cc4bbf37f0faf037596afa93486 2013-01-15 23:25:58|install|shorewall6|4.5.11.2-84.1|noarch|root@a-wing|security-netfilter|7d9dd437ed18fb59dc1b3b63b49249884858698b9228ed0fd5c0ae0434e2178a # 2013-01-15 23:25:59 shorewall-init-4.5.11.2-84.1.noarch.rpm installed ok # Additional rpm output: # Updating /etc/sysconfig/shorewall-init... # 2013-01-15 23:25:59|install|shorewall-init|4.5.11.2-84.1|noarch|root@a-wing|security-netfilter|18acb357c3e41d8c2522ce7485c036aeb10abbad316d4222a36244e03f68f06d And the rc cat /usr/share/shorewall/shorewallrc # # Created by Shorewall Core version 4.5.11.2 configure - Tue Jan 15 17:04:16 UTC 2013 # # Input: vendor=suse host=suse prefix=/usr perllibdir=/usr/lib/perl5/vendor_perl/5.14.2 libexecdir=/usr/lib sbindir=/usr/sbin systemd=/lib/systemd/system sharedir=/usr/share # HOST=suse PREFIX=/usr SHAREDIR=/usr/share LIBEXECDIR=/usr/lib PERLLIBDIR=/usr/lib/perl5/vendor_perl/5.14.2 CONFDIR=/etc SBINDIR=/usr/sbin MANDIR=${SHAREDIR}/man/ INITDIR=/etc/init.d INITSOURCE=init.suse.sh INITFILE=$PRODUCT AUXINITSOURCE= AUXINITFILE= SYSTEMD=/lib/systemd/system SYSCONFFILE= SYSCONFDIR=/etc/sysconfig/ SPARSE= ANNOTATED= VARLIB=/var/lib VARDIR=${VARLIB}/$PRODUCT rpm -qf /usr/share/shorewall/shorewallrc shorewall-core-4.5.11.2-84.1.noarch and ll -R /usr/lib/perl5/vendor_perl/5.14.2/ /usr/lib/perl5/vendor_perl/5.14.2/: total 4 drwxr-xr-x 2 root root 4096 jan 15 23:25 Shorewall /usr/lib/perl5/vendor_perl/5.14.2/Shorewall: total 852 -rw-r--r-- 1 root root 14644 jan 15 18:04 Accounting.pm -rw-r--r-- 1 root root 206104 jan 15 18:04 Chains.pm -rw-r--r-- 1 root root 24096 jan 15 18:04 Compiler.pm -rw-r--r-- 1 root root 153162 jan 15 18:04 Config.pm -rw-r--r-- 1 root root 20895 jan 15 18:04 IPAddrs.pm -rw-r--r-- 1 root root 81817 jan 15 18:04 Misc.pm -rw-r--r-- 1 root root 21541 jan 15 18:04 Nat.pm -rw-r--r-- 1 root root 9080 jan 15 18:04 Proc.pm -rw-r--r-- 1 root root 59824 jan 15 18:04 Providers.pm -rw-r--r-- 1 root root 6155 jan 15 18:04 Proxyarp.pm -rw-r--r-- 1 root root 8918 jan 15 18:04 Raw.pm -rw-r--r-- 1 root root 82251 jan 15 18:04 Rules.pm -rw-r--r-- 1 root root 78491 jan 15 18:04 Tc.pm -rw-r--r-- 1 root root 10450 jan 15 18:04 Tunnels.pm -rw-r--r-- 1 root root 57511 jan 15 18:04 Zones.pm a-wing:/etc # rpm -qf /usr/lib/perl5/vendor_perl/5.14.2/Shorewall shorewall-4.5.11.2-84.1.noarch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c9 Togan Muftuoglu <toganm@dinamizm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |bruno@ioda-net.ch --- Comment #9 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-16 07:57:16 UTC --- I can't find anything that may cause what you have. In fact I have dowloaded rpms build by the obs shorewall-4.5.11.2-84.1.noarch.rpm there is no mention of 5.4.12 rpm -qpl /tmp/shorewall-4.5.11.2-84.1.noarch.rpm |grep perl warning: /tmp/shorewall-4.5.11.2-84.1.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 79eafd54: NOKEY /usr/lib/perl5/vendor_perl/5.16.0/Shorewall /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Accounting.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Chains.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Compiler.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Config.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/IPAddrs.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Misc.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Nat.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Proc.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Providers.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Proxyarp.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Raw.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Rules.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Tc.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Tunnels.pm /usr/lib/perl5/vendor_perl/5.16.0/Shorewall/Zones.pm and shorewall-core-4.5.11.2-84.1.noarch.rpm again downloaded from the obs has /usr/lib/perl5/vendor_perl/5.16.0 in shorewallrc both in the comment section and in the parameter section . The only person that uses 5.4.12 hard coded is Tom Eastep. Our versions have the rpm macro perllibdir=%{perl_vendorlib} so it depends on the distro release. so I have absolutely no idea where they are coming from. Have you by chance at any time installed rpms from upstream that is the only place that can happen Just to double check it can you dowload the rpms and check the shorewallrc and perl paths in the rpms rpm -qpl shorewall-4.5.11.2-84.1.noarch.rpm |grep perl and either using midnightcommander (mc) or tool of your choice can you check the shorewallrc in the shorewall-core rpm and post them. Thanks Togan -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c10 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|bruno@ioda-net.ch | --- Comment #10 from Bruno Friedmann <bruno@ioda-net.ch> 2013-01-16 13:36:52 UTC --- Hi Togan, thanks a lot for your remark, cause now I've found the real issue. It's my bad, I'm so confused that I can find a place to hide myself. In fact in emergency, I've replaced a 12.1 firewall by a 12.2, and simply forget to upgrade the the security;netfilter to the according new version 12.1 has perl 5.14 which explain a lot of thing :-) I've fixed my repo, refresh, and dup against, shorewall get upgraded, and then work perfect as expected. So sorry for that false alarm. and you great work on packaging it. I'm your debtor for a beer for sure :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c11 Togan Muftuoglu <toganm@dinamizm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #11 from Togan Muftuoglu <toganm@dinamizm.com> 2013-01-16 13:47:06 UTC --- Good to hear that the problem is resolved. I am marking it as resolved hence you can close the bug if you want Togan -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798525 https://bugzilla.novell.com/show_bug.cgi?id=798525#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-01-16 15:00:10 CET --- This is an autogenerated message for OBS integration: This bug (798525) was mentioned in https://build.opensuse.org/request/show/148719 Factory / shorewall -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com