~alpine/devel

5 2

[alpine-devel] [Patch] acf-iptables: fixing model

Details
Message ID
<4F6E1119.8080306@arcor.de>
Sender timestamp
1332613401
DKIM signature
missing
Download raw message
Hi,

There are two bugs causing the web interface to malfunction when either
a protocol selection is negated using a exclamation mark (!) or a
comment is entered in the appropriate field of the form.

PLEASE, make sure removing the escaping of the spec string does not
cause problems with certain data entered in the form! So far, I had no
troubles while testing, because the fields are checked in
validate_rule(), anyway.

Regards, Tiger

--- /usr/share/acf/app/iptables/iptables-model.lua.orig
+++ /usr/share/acf/app/iptables/iptables-model.lua
@@ -147 +147 @@
-    addparameter(rule.value.protocol.value, "-p")
+    addparameter(rule.value.protocol.value, "-p", true)
@@ -520 +520 @@
-        local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " ..
format.escapespecialcharacters(spec) .. " 2>&1"
+        local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
.. " 2>&1"



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<1333732837.18993.YahooMailNeo@web130105.mail.mud.yahoo.com>
In-Reply-To
<4F6E1119.8080306@arcor.de> (view parent)
Sender timestamp
1333732837
DKIM signature
missing
Download raw message
Thank you for the patch, and sorry for the long delay before properly responding. Unfortunately, the bugs you found were not the only ones present. I guess acf-iptables hadn't been tested in a while. Please see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04 for the changes I committed. Please try using the file http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to make sure I fixed your reported problems. Once I hear back from you, I'll feel more confident in bumping the package version.

Ted


________________________________
 From: Der Tiger <der.tiger.alpine@arcor.de>
To: alpine-devel@lists.alpinelinux.org 
Sent: Saturday, March 24, 2012 2:23 PM
Subject: [alpine-devel] [Patch] acf-iptables: fixing model
 
Hi,

There are two bugs causing the web interface to malfunction when either
a protocol selection is negated using a exclamation mark (!) or a
comment is entered in the appropriate field of the form.

PLEASE, make sure removing the escaping of the spec string does not
cause problems with certain data entered in the form! So far, I had no
troubles while testing, because the fields are checked in
validate_rule(), anyway.

Regards, Tiger

--- /usr/share/acf/app/iptables/iptables-model.lua.orig
+++ /usr/share/acf/app/iptables/iptables-model.lua
@@ -147 +147 @@
-    addparameter(rule.value.protocol.value, "-p")
+    addparameter(rule.value.protocol.value, "-p", true)
@@ -520 +520 @@
-        local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " ..
format.escapespecialcharacters(spec) .. " 2>&1"
+        local cmd = path .. "iptables -t " ..
format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
format.escapespecialcharacters(rule.value.chain.value) .. " " ..
format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
.. " 2>&1"



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<4F807561.4040407@arcor.de>
In-Reply-To
<1333732837.18993.YahooMailNeo@web130105.mail.mud.yahoo.com> (view parent)
Sender timestamp
1333818721
DKIM signature
missing
Download raw message
ReHi Ted,

Thank you for your extensive fixing! I'm going to test the changes as
soon as I got my router to forward packets proberly and will report back
with the test results (hopefully soon).

Regards, Tiger

Am 2012-04-06 19:20, schrieb Ted Trask:
> Thank you for the patch, and sorry for the long delay before properly
> responding. Unfortunately, the bugs you found were not the only ones
> present. I guess acf-iptables hadn't been tested in a while. Please
> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04
> for the changes I committed. Please try using the file
> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to
> make sure I fixed your reported problems. Once I hear back from you,
> I'll feel more confident in bumping the package version.
> 
> Ted
> 
> ------------------------------------------------------------------------
> *From:* Der Tiger <der.tiger.alpine@arcor.de>
> *To:* alpine-devel@lists.alpinelinux.org
> *Sent:* Saturday, March 24, 2012 2:23 PM
> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model
> 
> Hi,
> 
> There are two bugs causing the web interface to malfunction when either
> a protocol selection is negated using a exclamation mark (!) or a
> comment is entered in the appropriate field of the form.
> 
> PLEASE, make sure removing the escaping of the spec string does not
> cause problems with certain data entered in the form! So far, I had no
> troubles while testing, because the fields are checked in
> validate_rule(), anyway.
> 
> Regards, Tiger
> 
> --- /usr/share/acf/app/iptables/iptables-model.lua.orig
> +++ /usr/share/acf/app/iptables/iptables-model.lua
> @@ -147 +147 @@
> -    addparameter(rule.value.protocol.value, "-p")
> +    addparameter(rule.value.protocol.value, "-p", true)
> @@ -520 +520 @@
> -        local cmd = path .. "iptables -t " ..
> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
> format.escapespecialcharacters(rule.value.position.value) .. " " ..
> format.escapespecialcharacters(spec) .. " 2>&1"
> +        local cmd = path .. "iptables -t " ..
> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
> .. " 2>&1"
> 
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> <unsubscribe@lists.alpinelinux.org>
> Help:        alpine-devel+help@lists.alpinelinux.org
> <help@lists.alpinelinux.org>
> ---
> 
> 
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<6D2E9A25-1C97-4FED-B5D3-BC0123220404@yahoo.com>
In-Reply-To
<4F8589D0.3010002@arcor.de> (view parent)
Sender timestamp
1334153039
DKIM signature
missing
Download raw message
Ok, thanks for testing again. To make my life easier, can you send me an example of a statement that doesn't work? I'm definitely not an iptables expert, so I'm not aware of all of the possibilities. Thanks.

Ted

On Apr 11, 2012, at 9:40 AM, Der Tiger <der.tiger.alpine@arcor.de> wrote:

> ReHi Ted,
> 
> The patch works nicely! So far I didn't encounter any more problems
> entering and editing data in the existing fields of the iptables GUI form.
> 
> Due to the complexity of the iptables configuration not all possible
> options are represented in the form by dedicated field. For instance
> port REDIRECT statements in the nat table are not handled, so far.
> Unfortunately this causes the parameters to be thrown out, once the rule
> is edited, because the is no field in the form to hold the data.
> 
> Therefore, I'd suggest to add an "Additional Options" field to the form,
> that is filled with all unrecognised fractions of the rule string in
> order to prevent those fractions from getting lost when the rule is saved.
> 
> Regards, Tiger
> 
> Am 2012-04-06 19:20, schrieb Ted Trask:
>> Thank you for the patch, and sorry for the long delay before properly
>> responding. Unfortunately, the bugs you found were not the only ones
>> present. I guess acf-iptables hadn't been tested in a while. Please
>> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04
>> for the changes I committed. Please try using the file
>> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to
>> make sure I fixed your reported problems. Once I hear back from you,
>> I'll feel more confident in bumping the package version.
>> 
>> Ted
>> 
>> ------------------------------------------------------------------------
>> *From:* Der Tiger <der.tiger.alpine@arcor.de>
>> *To:* alpine-devel@lists.alpinelinux.org
>> *Sent:* Saturday, March 24, 2012 2:23 PM
>> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model
>> 
>> Hi,
>> 
>> There are two bugs causing the web interface to malfunction when either
>> a protocol selection is negated using a exclamation mark (!) or a
>> comment is entered in the appropriate field of the form.
>> 
>> PLEASE, make sure removing the escaping of the spec string does not
>> cause problems with certain data entered in the form! So far, I had no
>> troubles while testing, because the fields are checked in
>> validate_rule(), anyway.
>> 
>> Regards, Tiger
>> 
>> --- /usr/share/acf/app/iptables/iptables-model.lua.orig
>> +++ /usr/share/acf/app/iptables/iptables-model.lua
>> @@ -147 +147 @@
>> -    addparameter(rule.value.protocol.value, "-p")
>> +    addparameter(rule.value.protocol.value, "-p", true)
>> @@ -520 +520 @@
>> -        local cmd = path .. "iptables -t " ..
>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
>> format.escapespecialcharacters(rule.value.position.value) .. " " ..
>> format.escapespecialcharacters(spec) .. " 2>&1"
>> +        local cmd = path .. "iptables -t " ..
>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
>> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
>> .. " 2>&1"
>> 
>> 
>> 
>> ---
>> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
>> <unsubscribe@lists.alpinelinux.org>
>> Help:        alpine-devel+help@lists.alpinelinux.org
>> <help@lists.alpinelinux.org>
>> ---
>> 
>> 
>> 
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<4F8589D0.3010002@arcor.de>
In-Reply-To
<1333732837.18993.YahooMailNeo@web130105.mail.mud.yahoo.com> (view parent)
Sender timestamp
1334151632
DKIM signature
missing
Download raw message
ReHi Ted,

The patch works nicely! So far I didn't encounter any more problems
entering and editing data in the existing fields of the iptables GUI form.

Due to the complexity of the iptables configuration not all possible
options are represented in the form by dedicated field. For instance
port REDIRECT statements in the nat table are not handled, so far.
Unfortunately this causes the parameters to be thrown out, once the rule
is edited, because the is no field in the form to hold the data.

Therefore, I'd suggest to add an "Additional Options" field to the form,
that is filled with all unrecognised fractions of the rule string in
order to prevent those fractions from getting lost when the rule is saved.

Regards, Tiger

Am 2012-04-06 19:20, schrieb Ted Trask:
> Thank you for the patch, and sorry for the long delay before properly
> responding. Unfortunately, the bugs you found were not the only ones
> present. I guess acf-iptables hadn't been tested in a while. Please
> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04
> for the changes I committed. Please try using the file
> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to
> make sure I fixed your reported problems. Once I hear back from you,
> I'll feel more confident in bumping the package version.
> 
> Ted
> 
> ------------------------------------------------------------------------
> *From:* Der Tiger <der.tiger.alpine@arcor.de>
> *To:* alpine-devel@lists.alpinelinux.org
> *Sent:* Saturday, March 24, 2012 2:23 PM
> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model
> 
> Hi,
> 
> There are two bugs causing the web interface to malfunction when either
> a protocol selection is negated using a exclamation mark (!) or a
> comment is entered in the appropriate field of the form.
> 
> PLEASE, make sure removing the escaping of the spec string does not
> cause problems with certain data entered in the form! So far, I had no
> troubles while testing, because the fields are checked in
> validate_rule(), anyway.
> 
> Regards, Tiger
> 
> --- /usr/share/acf/app/iptables/iptables-model.lua.orig
> +++ /usr/share/acf/app/iptables/iptables-model.lua
> @@ -147 +147 @@
> -    addparameter(rule.value.protocol.value, "-p")
> +    addparameter(rule.value.protocol.value, "-p", true)
> @@ -520 +520 @@
> -        local cmd = path .. "iptables -t " ..
> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
> format.escapespecialcharacters(rule.value.position.value) .. " " ..
> format.escapespecialcharacters(spec) .. " 2>&1"
> +        local cmd = path .. "iptables -t " ..
> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
> .. " 2>&1"
> 
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> <unsubscribe@lists.alpinelinux.org>
> Help:        alpine-devel+help@lists.alpinelinux.org
> <help@lists.alpinelinux.org>
> ---
> 
> 
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<4F8595A9.8080704@arcor.de>
In-Reply-To
<6D2E9A25-1C97-4FED-B5D3-BC0123220404@yahoo.com> (view parent)
Sender timestamp
1334154665
DKIM signature
missing
Download raw message
ReHi Ted,

Thanks for you prompt reply! You'll find three example lines below. The
first line looses '--to-ports 53', the second line can't be saved,
because target TCPMSS requires the '--clamp-mss-to-pmtu' parameter,
which gets lost when the rule is edited in the GUI. The third line,
apart from the '-j LOG' directive, gets lost completely.

-A PREROUTING -s 192.168.0.0/16 -p udp -m comment --comment "Force DNS
thru BIND" -j REDIRECT --to-ports 53

-A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "PPP set MTU" -j TCPMSS --clamp-mss-to-pmtu

-A FORWARD -m limit --limit 1/sec --limit-burst 3 -j LOG --log-prefix
"fw-input-reject "

Regards, Tiger

Am 2012-04-11 16:03, schrieb Ted Trask:
> Ok, thanks for testing again. To make my life easier, can you send me an example of a statement that doesn't work? I'm definitely not an iptables expert, so I'm not aware of all of the possibilities. Thanks.
> 
> Ted
> 
> On Apr 11, 2012, at 9:40 AM, Der Tiger <der.tiger.alpine@arcor.de> wrote:
> 
>> ReHi Ted,
>>
>> The patch works nicely! So far I didn't encounter any more problems
>> entering and editing data in the existing fields of the iptables GUI form.
>>
>> Due to the complexity of the iptables configuration not all possible
>> options are represented in the form by dedicated field. For instance
>> port REDIRECT statements in the nat table are not handled, so far.
>> Unfortunately this causes the parameters to be thrown out, once the rule
>> is edited, because the is no field in the form to hold the data.
>>
>> Therefore, I'd suggest to add an "Additional Options" field to the form,
>> that is filled with all unrecognised fractions of the rule string in
>> order to prevent those fractions from getting lost when the rule is saved.
>>
>> Regards, Tiger
>>
>> Am 2012-04-06 19:20, schrieb Ted Trask:
>>> Thank you for the patch, and sorry for the long delay before properly
>>> responding. Unfortunately, the bugs you found were not the only ones
>>> present. I guess acf-iptables hadn't been tested in a while. Please
>>> see http://git.alpinelinux.org/cgit/acf-iptables/commit/?id=ce765fba9cf9fd1c4b1981ab137df35c4b662b04
>>> for the changes I committed. Please try using the file
>>> http://git.alpinelinux.org/cgit/acf-iptables/tree/iptables-model.lua to
>>> make sure I fixed your reported problems. Once I hear back from you,
>>> I'll feel more confident in bumping the package version.
>>>
>>> Ted
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Der Tiger <der.tiger.alpine@arcor.de>
>>> *To:* alpine-devel@lists.alpinelinux.org
>>> *Sent:* Saturday, March 24, 2012 2:23 PM
>>> *Subject:* [alpine-devel] [Patch] acf-iptables: fixing model
>>>
>>> Hi,
>>>
>>> There are two bugs causing the web interface to malfunction when either
>>> a protocol selection is negated using a exclamation mark (!) or a
>>> comment is entered in the appropriate field of the form.
>>>
>>> PLEASE, make sure removing the escaping of the spec string does not
>>> cause problems with certain data entered in the form! So far, I had no
>>> troubles while testing, because the fields are checked in
>>> validate_rule(), anyway.
>>>
>>> Regards, Tiger
>>>
>>> --- /usr/share/acf/app/iptables/iptables-model.lua.orig
>>> +++ /usr/share/acf/app/iptables/iptables-model.lua
>>> @@ -147 +147 @@
>>> -    addparameter(rule.value.protocol.value, "-p")
>>> +    addparameter(rule.value.protocol.value, "-p", true)
>>> @@ -520 +520 @@
>>> -        local cmd = path .. "iptables -t " ..
>>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
>>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
>>> format.escapespecialcharacters(rule.value.position.value) .. " " ..
>>> format.escapespecialcharacters(spec) .. " 2>&1"
>>> +        local cmd = path .. "iptables -t " ..
>>> format.escapespecialcharacters(rule.value.table.value) .. " -R " ..
>>> format.escapespecialcharacters(rule.value.chain.value) .. " " ..
>>> format.escapespecialcharacters(rule.value.position.value) .. " " .. spec
>>> .. " 2>&1"
>>>
>>>
>>>
>>> ---
>>> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
>>> <unsubscribe@lists.alpinelinux.org>
>>> Help:        alpine-devel+help@lists.alpinelinux.org
>>> <help@lists.alpinelinux.org>
>>> ---
>>>
>>>
>>>
>>
>>
>> ---
>> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
>> Help:         alpine-devel+help@lists.alpinelinux.org
>> ---
>>
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)