Hi,
There are two bugs causing the web interface to malfunction when either
a protocol selection is negated using a exclamation mark (!) or a
comment is entered in the appropriate field of the form.
PLEASE, make sure removing the escaping of the spec string does not
cause problems with certain data entered in the form! So far, I had no
troubles while testing, because the fields are checked in
validate_rule(), anyway.
Regards, Tiger
--- /usr/share/acf/app/iptables/iptables-model.lua.orig
+++ /usr/share/acf/app/iptables/iptables-model.lua
@@ -147 +147 @@
- addparameter(rule.value.protocol.value, "-p")
+ addparameter(rule.value.protocol.value, "-p", true)
@@ -520 +520 @@
- local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " ..
format.escapespecialcharacters(spec) .. " 2>&1"
+ local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
.. " 2>&1"
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
Thank you for the patch, and sorry for the long delay before properly responding. Unfortunately, the bugs you found were not the only ones present. I guess acf-iptables hadn't been tested in a while. Please see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04 for the changes I committed. Please try using the file http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to make sure I fixed your reported problems. Once I hear back from you, I'll feel more confident in bumping the package version.
Ted
________________________________
From: Der Tiger <der.tiger.alpine@arcor.de>
To: alpine-devel@lists.alpinelinux.org
Sent: Saturday, March 24, 2012 2:23 PM
Subject: [alpine-devel] [Patch] acf-iptables: fixing model
Hi,
There are two bugs causing the web interface to malfunction when either
a protocol selection is negated using a exclamation mark (!) or a
comment is entered in the appropriate field of the form.
PLEASE, make sure removing the escaping of the spec string does not
cause problems with certain data entered in the form! So far, I had no
troubles while testing, because the fields are checked in
validate_rule(), anyway.
Regards, Tiger
--- /usr/share/acf/app/iptables/iptables-model.lua.orig
+++ /usr/share/acf/app/iptables/iptables-model.lua
@@ -147 +147 @@
- addparameter(rule.value.protocol.value, "-p")
+ addparameter(rule.value.protocol.value, "-p", true)
@@ -520 +520 @@
- local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " ..
format.escapespecialcharacters(spec) .. " 2>&1"
+ local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
.. " 2>&1"
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
ReHi Ted,
Thank you for your extensive fixing! I'm going to test the changes as
soon as I got my router to forward packets proberly and will report back
with the test results (hopefully soon).
Regards, Tiger
Am 2012-04-06 19:20, schrieb Ted Trask:
> Thank you for the patch, and sorry for the long delay before properly> responding. Unfortunately, the bugs you found were not the only ones> present. I guess acf-iptables hadn't been tested in a while. Please> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04> for the changes I committed. Please try using the file> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to> make sure I fixed your reported problems. Once I hear back from you,> I'll feel more confident in bumping the package version.> > Ted> > ------------------------------------------------------------------------> *From:* Der Tiger <der.tiger.alpine@arcor.de>> *To:* alpine-devel@lists.alpinelinux.org> *Sent:* Saturday, March 24, 2012 2:23 PM> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model> > Hi,> > There are two bugs causing the web interface to malfunction when either> a protocol selection is negated using a exclamation mark (!) or a> comment is entered in the appropriate field of the form.> > PLEASE, make sure removing the escaping of the spec string does not> cause problems with certain data entered in the form! So far, I had no> troubles while testing, because the fields are checked in> validate_rule(), anyway.> > Regards, Tiger> > --- /usr/share/acf/app/iptables/iptables-model.lua.orig> +++ /usr/share/acf/app/iptables/iptables-model.lua> @@ -147 +147 @@> - addparameter(rule.value.protocol.value, "-p")> + addparameter(rule.value.protocol.value, "-p", true)> @@ -520 +520 @@> - local cmd = path .. "iptables -t " ..> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..> format.escapespecialcharacters(rule.value.chain.value) .. " " ..> format.escapespecialcharacters(rule.value.position.value) .. " " ..> format.escapespecialcharacters(spec) .. " 2>&1"> + local cmd = path .. "iptables -t " ..> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..> format.escapespecialcharacters(rule.value.chain.value) .. " " ..> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec> .. " 2>&1"> > > > ---> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org> <unsubscribe@lists.alpinelinux.org>> Help: alpine-devel+help@lists.alpinelinux.org> <help@lists.alpinelinux.org>> ---> > >
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
Ok, thanks for testing again. To make my life easier, can you send me an example of a statement that doesn't work? I'm definitely not an iptables expert, so I'm not aware of all of the possibilities. Thanks.
Ted
On Apr 11, 2012, at 9:40 AM, Der Tiger <der.tiger.alpine@arcor.de> wrote:
> ReHi Ted,> > The patch works nicely! So far I didn't encounter any more problems> entering and editing data in the existing fields of the iptables GUI form.> > Due to the complexity of the iptables configuration not all possible> options are represented in the form by dedicated field. For instance> port REDIRECT statements in the nat table are not handled, so far.> Unfortunately this causes the parameters to be thrown out, once the rule> is edited, because the is no field in the form to hold the data.> > Therefore, I'd suggest to add an "Additional Options" field to the form,> that is filled with all unrecognised fractions of the rule string in> order to prevent those fractions from getting lost when the rule is saved.> > Regards, Tiger> > Am 2012-04-06 19:20, schrieb Ted Trask:>> Thank you for the patch, and sorry for the long delay before properly>> responding. Unfortunately, the bugs you found were not the only ones>> present. I guess acf-iptables hadn't been tested in a while. Please>> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04>> for the changes I committed. Please try using the file>> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to>> make sure I fixed your reported problems. Once I hear back from you,>> I'll feel more confident in bumping the package version.>> >> Ted>> >> ------------------------------------------------------------------------>> *From:* Der Tiger <der.tiger.alpine@arcor.de>>> *To:* alpine-devel@lists.alpinelinux.org>> *Sent:* Saturday, March 24, 2012 2:23 PM>> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model>> >> Hi,>> >> There are two bugs causing the web interface to malfunction when either>> a protocol selection is negated using a exclamation mark (!) or a>> comment is entered in the appropriate field of the form.>> >> PLEASE, make sure removing the escaping of the spec string does not>> cause problems with certain data entered in the form! So far, I had no>> troubles while testing, because the fields are checked in>> validate_rule(), anyway.>> >> Regards, Tiger>> >> --- /usr/share/acf/app/iptables/iptables-model.lua.orig>> +++ /usr/share/acf/app/iptables/iptables-model.lua>> @@ -147 +147 @@>> - addparameter(rule.value.protocol.value, "-p")>> + addparameter(rule.value.protocol.value, "-p", true)>> @@ -520 +520 @@>> - local cmd = path .. "iptables -t " ..>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..>> format.escapespecialcharacters(rule.value.position.value) .. " " ..>> format.escapespecialcharacters(spec) .. " 2>&1">> + local cmd = path .. "iptables -t " ..>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..>> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec>> .. " 2>&1">> >> >> >> --->> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org>> <unsubscribe@lists.alpinelinux.org>>> Help: alpine-devel+help@lists.alpinelinux.org>> <help@lists.alpinelinux.org>>> --->> >> >> > > > ---> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org> Help: alpine-devel+help@lists.alpinelinux.org> --->
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
ReHi Ted,
The patch works nicely! So far I didn't encounter any more problems
entering and editing data in the existing fields of the iptables GUI form.
Due to the complexity of the iptables configuration not all possible
options are represented in the form by dedicated field. For instance
port REDIRECT statements in the nat table are not handled, so far.
Unfortunately this causes the parameters to be thrown out, once the rule
is edited, because the is no field in the form to hold the data.
Therefore, I'd suggest to add an "Additional Options" field to the form,
that is filled with all unrecognised fractions of the rule string in
order to prevent those fractions from getting lost when the rule is saved.
Regards, Tiger
Am 2012-04-06 19:20, schrieb Ted Trask:
> Thank you for the patch, and sorry for the long delay before properly> responding. Unfortunately, the bugs you found were not the only ones> present. I guess acf-iptables hadn't been tested in a while. Please> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04> for the changes I committed. Please try using the file> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to> make sure I fixed your reported problems. Once I hear back from you,> I'll feel more confident in bumping the package version.> > Ted> > ------------------------------------------------------------------------> *From:* Der Tiger <der.tiger.alpine@arcor.de>> *To:* alpine-devel@lists.alpinelinux.org> *Sent:* Saturday, March 24, 2012 2:23 PM> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model> > Hi,> > There are two bugs causing the web interface to malfunction when either> a protocol selection is negated using a exclamation mark (!) or a> comment is entered in the appropriate field of the form.> > PLEASE, make sure removing the escaping of the spec string does not> cause problems with certain data entered in the form! So far, I had no> troubles while testing, because the fields are checked in> validate_rule(), anyway.> > Regards, Tiger> > --- /usr/share/acf/app/iptables/iptables-model.lua.orig> +++ /usr/share/acf/app/iptables/iptables-model.lua> @@ -147 +147 @@> - addparameter(rule.value.protocol.value, "-p")> + addparameter(rule.value.protocol.value, "-p", true)> @@ -520 +520 @@> - local cmd = path .. "iptables -t " ..> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..> format.escapespecialcharacters(rule.value.chain.value) .. " " ..> format.escapespecialcharacters(rule.value.position.value) .. " " ..> format.escapespecialcharacters(spec) .. " 2>&1"> + local cmd = path .. "iptables -t " ..> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..> format.escapespecialcharacters(rule.value.chain.value) .. " " ..> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec> .. " 2>&1"> > > > ---> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org> <unsubscribe@lists.alpinelinux.org>> Help: alpine-devel+help@lists.alpinelinux.org> <help@lists.alpinelinux.org>> ---> > >
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
ReHi Ted,
Thanks for you prompt reply! You'll find three example lines below. The
first line looses '--to-ports 53', the second line can't be saved,
because target TCPMSS requires the '--clamp-mss-to-pmtu' parameter,
which gets lost when the rule is edited in the GUI. The third line,
apart from the '-j LOG' directive, gets lost completely.
-A PREROUTING -s 192.168.0.0/16 -p udp -m comment --comment "Force DNS
thru BIND" -j REDIRECT --to-ports 53
-A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "PPP set MTU" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m limit --limit 1/sec --limit-burst 3 -j LOG --log-prefix
"fw-input-reject "
Regards, Tiger
Am 2012-04-11 16:03, schrieb Ted Trask:
> Ok, thanks for testing again. To make my life easier, can you send me an example of a statement that doesn't work? I'm definitely not an iptables expert, so I'm not aware of all of the possibilities. Thanks.> > Ted> > On Apr 11, 2012, at 9:40 AM, Der Tiger <der.tiger.alpine@arcor.de> wrote:> >> ReHi Ted,>>>> The patch works nicely! So far I didn't encounter any more problems>> entering and editing data in the existing fields of the iptables GUI form.>>>> Due to the complexity of the iptables configuration not all possible>> options are represented in the form by dedicated field. For instance>> port REDIRECT statements in the nat table are not handled, so far.>> Unfortunately this causes the parameters to be thrown out, once the rule>> is edited, because the is no field in the form to hold the data.>>>> Therefore, I'd suggest to add an "Additional Options" field to the form,>> that is filled with all unrecognised fractions of the rule string in>> order to prevent those fractions from getting lost when the rule is saved.>>>> Regards, Tiger>>>> Am 2012-04-06 19:20, schrieb Ted Trask:>>> Thank you for the patch, and sorry for the long delay before properly>>> responding. Unfortunately, the bugs you found were not the only ones>>> present. I guess acf-iptables hadn't been tested in a while. Please>>> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04>>> for the changes I committed. Please try using the file>>> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to>>> make sure I fixed your reported problems. Once I hear back from you,>>> I'll feel more confident in bumping the package version.>>>>>> Ted>>>>>> ------------------------------------------------------------------------>>> *From:* Der Tiger <der.tiger.alpine@arcor.de>>>> *To:* alpine-devel@lists.alpinelinux.org>>> *Sent:* Saturday, March 24, 2012 2:23 PM>>> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model>>>>>> Hi,>>>>>> There are two bugs causing the web interface to malfunction when either>>> a protocol selection is negated using a exclamation mark (!) or a>>> comment is entered in the appropriate field of the form.>>>>>> PLEASE, make sure removing the escaping of the spec string does not>>> cause problems with certain data entered in the form! So far, I had no>>> troubles while testing, because the fields are checked in>>> validate_rule(), anyway.>>>>>> Regards, Tiger>>>>>> --- /usr/share/acf/app/iptables/iptables-model.lua.orig>>> +++ /usr/share/acf/app/iptables/iptables-model.lua>>> @@ -147 +147 @@>>> - addparameter(rule.value.protocol.value, "-p")>>> + addparameter(rule.value.protocol.value, "-p", true)>>> @@ -520 +520 @@>>> - local cmd = path .. "iptables -t " ..>>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..>>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..>>> format.escapespecialcharacters(rule.value.position.value) .. " " ..>>> format.escapespecialcharacters(spec) .. " 2>&1">>> + local cmd = path .. "iptables -t " ..>>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..>>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..>>> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec>>> .. " 2>&1">>>>>>>>>>>> --->>> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org>>> <unsubscribe@lists.alpinelinux.org>>>> Help: alpine-devel+help@lists.alpinelinux.org>>> <help@lists.alpinelinux.org>>>> --->>>>>>>>>>>>>>> --->> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org>> Help: alpine-devel+help@lists.alpinelinux.org>> --->>>
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---