Package: shorewall
Version: 5.2.8-1
Severity: important
Tags: ipv6 patch security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Starting ipv6 firewall gives an error message. The firewall still
starts, though.
$ sudo shorewall6 stop
Stopping Shorewall6....
/var/lib/shorewall6/firewall: 776: [: 64: unexpected operator
Preparing ip6tables-restore input...
Running /sbin/ip6tables-restore --wait 60...
done.
$
The problem is in /usr/share/shorewall/lib.runtime which compiles the script.
The line that spills the error message is in funcion
convert_to_anycast():
while read address; do
case $address in
2*|3*)
vlsm=${address#*/}
vlsm=${vlsm:=128}
*** THIS ONE *** if [ $vlsm -le 120 ]; then
#
# Defines a viable subnet -- first get the subnet-router
anycast address
#
host=$((128 - $vlsm))
$address and therefore $vlsm should contain the ip address. However, in
my case it ends up with
2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256
It seems that function find_interface_full_addresses() in lib.runtime
expects the ip address in "ip addr show" always be followed by "scope
global..." etc.
In my case:
$ ip addr show lan0 | grep inet6
inet6 2001:abcd:1234:dead:beef:abcd:1234:2222/64 metric 256 scope global
dynamic mngtmpaddr
This patch should fix the problem. At least it seems to work here.
Samuli
*** 99_fix_find_interface_addresses.patch
Fix sed inside function find_interface_full_addresses() to also clean up
"metric" information from ip address.
Pretty much untested and certainly unaudited!!!
Index: shorewall-5.2.8/shorewall/Perl/lib.runtime
===================================================================
--- shorewall-5.2.8.orig/shorewall/Perl/lib.runtime 2023-01-19
14:31:25.000000000 +0200
+++ shorewall-5.2.8/shorewall/Perl/lib.runtime 2023-02-05 00:24:17.424000000
+0200
@@ -1140,7 +1140,7 @@
find_interface_full_addresses() # $1 = interface
{
- $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6
//;s/ scope.*//;s/ peer [0-9a-f:]*//'
+ $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6
//;s/ scope.*//;s/ peer [0-9a-f:]*//;s/ metric [0-9]*//'
}
#
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (110, 'testing'), (100, 'unstable'), (95, 'experimental'), (80,
'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 6.1.0-3-arm64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shorewall depends on:
ii bc 1.07.1-3
ii init-system-helpers 1.65.2
ii iproute2 6.1.0-1
ii iptables 1.8.9-2
ii perl 5.36.0-7
ii shorewall-core 5.2.8-1
Versions of packages shorewall recommends:
ii libnetfilter-cthelper0 1.0.1-1
Versions of packages shorewall suggests:
ii make 4.3-4.1
pn shorewall-doc <none>
-- Configuration Files:
/etc/shorewall/conntrack [Errno 13] Permission denied:
'/etc/shorewall/conntrack'
/etc/shorewall/params [Errno 13] Permission denied: '/etc/shorewall/params'
/etc/shorewall/shorewall.conf changed [not included]
-- no debconf information