Closed arnova closed 5 years ago
As I see it ... the environment function get_ifs
is where the +
gets added as an interface placeholder as an interface wildcard.
Only parse_rule
calls get_ifs
which sets the interfaces
variable.
So, for parse_rule
results using any form of interfaces-
(as interfaces:EXT_IF-
ever contains a single +
) now call a function in a subshell to eliminate -i +
and -o +
iptables args.
Given that, @arnova it looks like you implemented this perfectly.
I'm not sure how much CPU cost there is with all the extra subshell calls, but I will test.
It appears this is an iptables 1.8.x bug, but I can't argue against eliminating -i +
and -o +
iptables args.
Alternatively:
$(ipt_in_if "$interface")
$(ipt_out_if "$interface")
could be
$(ipt_if -i "$interface")
$(ipt_if -o "$interface")
ipt_if()
{
if [ -n "$2" -a "$2" != "+" ]; then
echo "$1 $2"
fi
}
@abelbeck : Lonnie, good idea! Updated it, if ok please hit "green".
Great ... I'll do some testing over the weekend and merge it if all looks good.
Nice solution @arnova
@arnova Followup, it looks like plugin scripts: 90dmz-dnat.plugin and dyndns-host-open-helper call parse-rule
with interfaces-
I know you don't assume the environment tracks plugins, so you decide.
@abelbeck : I think those should be updated with the next point release.
I think those should be updated with the next point release.
@arnova OK, I'll make a PR for fixing the two plugins and you can merge it when you want.
@arnova I created PR #57
Thanks @abelbeck
@abelbeck : It turns out $(ipt_if -i "$interface") isn't working properly. With eg. $interface="net0, I get "Warning: weird character in interface ` net0' ('/' and ' ' are not allowed by the kernel)." It's as if the shell is not passing the arguments separately. Ideas on how to fix (I vaguely recall we had this issue before in the past with iptables somewhere)?
@abelbeck : It turns out $(ipt_if -i "$interface") isn't working properly. With eg. $interface="net0, I get "Warning: weird character in interface ` net0' ('/' and ' ' are not allowed by the kernel)." It's as if the shell is not passing the arguments separately. Ideas on how to fix (I vaguely recall we had this issue before in the past with iptables somewhere)?
Fixed it in https://github.com/arno-iptables-firewall/aif/commit/a5a3d92d7a08dfc7cf085168815942d10fc1fb3e . You ok with it? To be honest I don't understand why one works and the other does not...
@arnova No, that is not a fix.
I think the problem is with the IFS=','
, IFS=' ,'
would probably fix it, but let me work on this.
@arnova While I have never used $IFS
in output before, this seems to provide a general fix:
--- /usr/share/arno-iptables-firewall/environment
+++ ./environment
@@ -1067,7 +1067,7 @@
ipt_if()
{
if [ -n "$2" -a "$2" != "+" ]; then
- echo "$1 $2"
+ echo "$1${IFS:- }$2"
fi
}
Alternately, replacing all the IFS=','
with IFS=' ,'
where ipt_if()
is called and look to see if that has any side effects.
I like your fix with "echo "$1${IFS:- }$2"" better than modifying IFS all over the place (which may also lead to regressions). Could you PR this?
Sure
Added PR #64
@abelbeck : Please review/comment