Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi Felix,
I am attaching two scripts that showing problems I reported.
there are script results below, that I got.
I am using BusyBox v1.15.3 from latest trunk code(r18874).
Thanks
ugur
/tmp # ./test_sh1.sh
WITHOUT_EVAL: $proto
WITH_EVAL: tcp
/tmp #
/tmp # ./test_sh2.sh
CONCATTED:
sh: can't execute ' ': No such file or directory
END
NOT CONCATTED:
END
Felix Fietkau wrote:
On 2009-12-08 1:36 PM, Ugur DOGRU wrote:
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
Are you sure that these two kinds of changes are still necessary? I
tried to reproduce your issues by writing small test cases with hush
here, but every test case I come up with seems to work fine.
I also tested parameter expansion such as ${var:+-p $var}, and I also
cannot get it to fail with hush.
If hush still has issues with some of these expansions, could you please
reduce it down to a small test case, so that I can verify it and maybe
fix it in hush directly instead of the scripts?
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I replaced that today without duplicating the hotplug script's code.
As to some of your other changes:
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
Why is this necessary?
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
test_sh1.sh
Description: Bourne shell script
test_sh2.sh
Description: Bourne shell script
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Felix Fietkau wrote:
On 2009-12-08 1:36 PM, Ugur DOGRU wrote:
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
Are you sure that these two kinds of changes are still necessary? I
tried to reproduce your issues by writing small test cases with hush
here, but every test case I come up with seems to work fine.
I also tested parameter expansion such as ${var:+-p $var}, and I also
cannot get it to fail with hush.
If hush still has issues with some of these expansions, could you please
reduce it down to a small test case, so that I can verify it and maybe
fix it in hush directly instead of the scripts?
Yes. I had some troubles about them. I can not get for now a console
prompt on my board
to test it. I think you can get fragments from uci_firewall.sh to test.
For line concatenation. I think below script will show problem by
running with/without line concat sign.
I will try if I will be able to get a shell prompt.
#!/bin/sh
src_port=100-200
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
[ $src_port_first -ne $src_port_last ] { \
src_port=$src_port_first:$src_port_last; }
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I replaced that today without duplicating the hotplug script's code.
As to some of your other changes:
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
Why is this necessary?
This is about eval problem.
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
On 2009-12-08 1:36 PM, Ugur DOGRU wrote:
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
Are you sure that these two kinds of changes are still necessary? I
tried to reproduce your issues by writing small test cases with hush
here, but every test case I come up with seems to work fine.
I also tested parameter expansion such as ${var:+-p $var}, and I also
cannot get it to fail with hush.
If hush still has issues with some of these expansions, could you please
reduce it down to a small test case, so that I can verify it and maybe
fix it in hush directly instead of the scripts?
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I replaced that today without duplicating the hotplug script's code.
As to some of your other changes:
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
Why is this necessary?
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi,
After getting busybox 1.15.2, local macro is not a problem now. So I
removed all modifications that removes local.
To remind it, these changes are for ubicom32 platform, but for all
no-mmu platforms in general.
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed
them below. Please note that these are only
problems that I've encountered in firewall/iptables scripts.
1/ hush needs eval to substitute string.
2/ hush doesn't handle line concatenation : \
3/ hush crashes if two scripts include each other. (uci_firewall.sh and
/etc/hotplug.d/iface/20-firewall includes each other)
I am attaching patch file that solving above problems.
we need your comments for these issues.
regards
ugur
Felix Fietkau wrote:
Jo-Philipp Wich wrote:
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
/etc/functions.sh would be a better place, imho. I think /etc/profile is
not automatically sourced by shell scripts. This function doesn't
currently cover all scripts, it needs to handle things like
local var=value
as well without inserting extra = characters.
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff -ruN /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh
--- /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh 2009-12-01 22:31:10.0 +0200
+++ /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh 2009-12-08 14:01:13.0 +0200
@@ -46,9 +46,10 @@
[ $1 == loopback ] return
- config_get exists $ZONE_LIST $1
+eval_ZONE_LIST=$(eval echo $ZONE_LIST)
+config_get exists $eval_ZONE_LIST $1
[ -n $exists ] return
- config_set $ZONE_LIST $1 1
+config_set $eval_ZONE_LIST $1 1
$IPTABLES -N zone_$1
$IPTABLES -N zone_$1_MSSFIX
@@ -280,12 +281,12 @@
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ $src_port_first -ne $src_port_last ] { \
+ [ $src_port_first -ne $src_port_last ] {
src_port=$src_port_first:$src_port_last; }
dest_port_first=${dest_port%-*}
dest_port_last=${dest_port#*-}
- [ $dest_port_first -ne $dest_port_last ] { \
+ [ $dest_port_first -ne $dest_port_last ] {
dest_port=$dest_port_first:$dest_port_last; }
ZONE=input
@@ -295,15 +296,13 @@
[ -n $src -a -n $dest ] ZONE=zone_${src}_forward
[ -n $dest ] TARGET=zone_${dest}_$target
add_rule() {
- $IPTABLES -A $ZONE \
- ${proto:+-p $proto} \
- ${icmp_type:+--icmp-type $icmp_type} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- ${dest_ip:+-d $dest_ip} \
- ${dest_port:+--dport $dest_port} \
- -j $TARGET
+PROTO=$(eval echo \${proto:+-p $proto}\)
+SRC_IP=$(eval echo \${src_ip:+-s $src_ip}\)
+SRC_PORT=$(eval echo \${src_port:+--sport $src_port}\)
+SRC_MAC=$(eval echo \${src_mac:+-m mac --mac-source $src_mac}\)
+DEST_IP=$(eval echo \${dest_ip:+-d $dest_ip}\)
+DEST_PORT=$(eval echo \${dest_port:+--dport $dest_port}\)
+$IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP $DEST_PORT -j $TARGET
}
[ $proto == tcpudp -o -z $proto ] {
proto=tcp
@@ -349,42 +348,40 @@
config_get dest_ip $1 dest_ip
config_get dest_port $1 dest_port
config_get proto $1 proto
- [ -z $src -o -z $dest_ip ] { \
+ [ -z $src -o -z $dest_ip ] {
echo redirect needs src and dest_ip; return ; }
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ $src_port_first -ne $src_port_last ] { \
+ [ $src_port_first -ne $src_port_last ] {
src_port=$src_port_first:$src_port_last; }
src_dport_first=${src_dport%-*}
src_dport_last=${src_dport#*-}
- [ $src_dport_first -ne $src_dport_last ] { \
+ [ $src_dport_first -ne $src_dport_last ] {
src_dport=$src_dport_first:$src_dport_last; }
dest_port2=${dest_port:-$src_dport}
dest_port_first=${dest_port2%-*}
dest_port_last=${dest_port2#*-}
- [ $dest_port_first -ne $dest_port_last ] { \
+ [ $dest_port_first -ne $dest_port_last ] {
dest_port2=$dest_port_first:$dest_port_last; }
add_rule() {
- $IPTABLES -A zone_${src}_prerouting -t nat \
- ${proto:+-p $proto} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_dport:+--dport $src_dport} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
-
- $IPTABLES -I zone_${src}_forward 1 \
- ${proto:+-p $proto} \
- -d $dest_ip \
-
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
* Ugur DOGRU udo...@ubicom.com [08.12.2009 13:40]: 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) Thanks for your work - is there any documentation about 'hush'? i only found some sources ( humble shell 0.01 (testing) ), but ist seems to be interesting. bye, Bastian signature.asc Description: Digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Malte. [...] Maybe you should just add the 50k and use ash instead? As far as I know is hush a requirement of the platform (no mmu) and I think ash does not work on non-mmu + non-fork platforms. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd2scACgkQdputYINPTPN//gCeJk490y55LpSJKQP++wghzZ6K Tv4AniggWzPOQT1RSAdy314bwXyP1TqJ =W339 -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi.
What about emulating local with something like the following?
local() { eval $1=''; }
This way you can keep the current scripts and handle the not-implemented
local gracefully.
~ JoW
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrd29IACgkQdputYINPTPND4ACaArek5LSOYNkoNV1FFpmK81lb
GzEAn1f9SPvnwPucGRp/Y2PT58WItq7C
=rKsF
-END PGP SIGNATURE-
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi,
On Tuesday 20 October 2009 17:48:34 Jo-Philipp Wich wrote:
Hi.
What about emulating local with something like the following?
local() { eval $1=''; }
This way you can keep the current scripts and handle the not-implemented
local gracefully.
I definitively prefer that solution, anytime hush makes more progress towards
having local variables support or ash finally works on no-mmu systems this
hack can be removed.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
~ JoW
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN
GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs
=eQjM
-END PGP SIGNATURE-
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Jo-Philipp Wich wrote:
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
/etc/functions.sh would be a better place, imho. I think /etc/profile is
not automatically sourced by shell scripts. This function doesn't
currently cover all scripts, it needs to handle things like
local var=value
as well without inserting extra = characters.
- Felix
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
hi Malte, I forgot to say that, this is for ubicom32 cpu that has no mmu, and other no-mmu cpu's, there is no memory concern. this will not be the end of hush scripts changes, others are on the way. eval may be fishy for ash, i don't know. May be making a global switch mechanism between ash/hush is the solution to isolate different behaviour of shells. regards ugur -Original Message- From: openwrt-devel-boun...@lists.openwrt.org on behalf of Malte S. Stretz Sent: Tue 20.10.2009 16:51 To: OpenWrt Development List Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Good idea. but, not sure that type supported by hush.
ugur
Jo-Philipp Wich wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The following function supports multiple args like the original local.
if ! type local /dev/null; then
local() {
for _v in $*; do eval $_v=''; done
}
fi
If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.
~ JoW
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN
GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs
=eQjM
-END PGP SIGNATURE-
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Latest busybox version is 1.15.2 and includes local builtin implemented. You
can check the following link: http://busybox.net/.
As noted, in the present time, hush is a must for nommu processors like we
have: ubicom32.
Bayram
-Original Message-
From: openwrt-devel-boun...@lists.openwrt.org on behalf of Florian Fainelli
Sent: Tue 10/20/2009 09:03
To: openwrt-devel@lists.openwrt.org
Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi,
On Tuesday 20 October 2009 17:48:34 Jo-Philipp Wich wrote:
Hi.
What about emulating local with something like the following?
local() { eval $1=''; }
This way you can keep the current scripts and handle the not-implemented
local gracefully.
I definitively prefer that solution, anytime hush makes more progress towards
having local variables support or ash finally works on no-mmu systems this
hack can be removed.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
