Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi Felix, I am attaching two scripts that showing problems I reported. there are script results below, that I got. I am using BusyBox v1.15.3 from latest trunk code(r18874). Thanks ugur /tmp # ./test_sh1.sh WITHOUT_EVAL: $proto WITH_EVAL: tcp /tmp # /tmp # ./test_sh2.sh CONCATTED: sh: can't execute ' ': No such file or directory END NOT CONCATTED: END Felix Fietkau wrote: On 2009-12-08 1:36 PM, Ugur DOGRU wrote: Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ Are you sure that these two kinds of changes are still necessary? I tried to reproduce your issues by writing small test cases with hush here, but every test case I come up with seems to work fine. I also tested parameter expansion such as ${var:+-p $var}, and I also cannot get it to fail with hush. If hush still has issues with some of these expansions, could you please reduce it down to a small test case, so that I can verify it and maybe fix it in hush directly instead of the scripts? 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I replaced that today without duplicating the hotplug script's code. As to some of your other changes: - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 Why is this necessary? - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel test_sh1.sh Description: Bourne shell script test_sh2.sh Description: Bourne shell script ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Felix Fietkau wrote: On 2009-12-08 1:36 PM, Ugur DOGRU wrote: Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ Are you sure that these two kinds of changes are still necessary? I tried to reproduce your issues by writing small test cases with hush here, but every test case I come up with seems to work fine. I also tested parameter expansion such as ${var:+-p $var}, and I also cannot get it to fail with hush. If hush still has issues with some of these expansions, could you please reduce it down to a small test case, so that I can verify it and maybe fix it in hush directly instead of the scripts? Yes. I had some troubles about them. I can not get for now a console prompt on my board to test it. I think you can get fragments from uci_firewall.sh to test. For line concatenation. I think below script will show problem by running with/without line concat sign. I will try if I will be able to get a shell prompt. #!/bin/sh src_port=100-200 src_port_first=${src_port%-*} src_port_last=${src_port#*-} [ $src_port_first -ne $src_port_last ] { \ src_port=$src_port_first:$src_port_last; } 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I replaced that today without duplicating the hotplug script's code. As to some of your other changes: - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 Why is this necessary? This is about eval problem. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
On 2009-12-08 1:36 PM, Ugur DOGRU wrote: Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ Are you sure that these two kinds of changes are still necessary? I tried to reproduce your issues by writing small test cases with hush here, but every test case I come up with seems to work fine. I also tested parameter expansion such as ${var:+-p $var}, and I also cannot get it to fail with hush. If hush still has issues with some of these expansions, could you please reduce it down to a small test case, so that I can verify it and maybe fix it in hush directly instead of the scripts? 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I replaced that today without duplicating the hotplug script's code. As to some of your other changes: - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 Why is this necessary? - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi, After getting busybox 1.15.2, local macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. As ash cannot run on no-mmu system, we are using hush instead. There are still not compatible features between ash/hush. I've listed them below. Please note that these are only problems that I've encountered in firewall/iptables scripts. 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) I am attaching patch file that solving above problems. we need your comments for these issues. regards ugur Felix Fietkau wrote: Jo-Philipp Wich wrote: The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. /etc/functions.sh would be a better place, imho. I think /etc/profile is not automatically sourced by shell scripts. This function doesn't currently cover all scripts, it needs to handle things like local var=value as well without inserting extra = characters. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel diff -ruN /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh --- /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh 2009-12-01 22:31:10.0 +0200 +++ /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh 2009-12-08 14:01:13.0 +0200 @@ -46,9 +46,10 @@ [ $1 == loopback ] return - config_get exists $ZONE_LIST $1 +eval_ZONE_LIST=$(eval echo $ZONE_LIST) +config_get exists $eval_ZONE_LIST $1 [ -n $exists ] return - config_set $ZONE_LIST $1 1 +config_set $eval_ZONE_LIST $1 1 $IPTABLES -N zone_$1 $IPTABLES -N zone_$1_MSSFIX @@ -280,12 +281,12 @@ src_port_first=${src_port%-*} src_port_last=${src_port#*-} - [ $src_port_first -ne $src_port_last ] { \ + [ $src_port_first -ne $src_port_last ] { src_port=$src_port_first:$src_port_last; } dest_port_first=${dest_port%-*} dest_port_last=${dest_port#*-} - [ $dest_port_first -ne $dest_port_last ] { \ + [ $dest_port_first -ne $dest_port_last ] { dest_port=$dest_port_first:$dest_port_last; } ZONE=input @@ -295,15 +296,13 @@ [ -n $src -a -n $dest ] ZONE=zone_${src}_forward [ -n $dest ] TARGET=zone_${dest}_$target add_rule() { - $IPTABLES -A $ZONE \ - ${proto:+-p $proto} \ - ${icmp_type:+--icmp-type $icmp_type} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ - ${dest_port:+--dport $dest_port} \ - -j $TARGET +PROTO=$(eval echo \${proto:+-p $proto}\) +SRC_IP=$(eval echo \${src_ip:+-s $src_ip}\) +SRC_PORT=$(eval echo \${src_port:+--sport $src_port}\) +SRC_MAC=$(eval echo \${src_mac:+-m mac --mac-source $src_mac}\) +DEST_IP=$(eval echo \${dest_ip:+-d $dest_ip}\) +DEST_PORT=$(eval echo \${dest_port:+--dport $dest_port}\) +$IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP $DEST_PORT -j $TARGET } [ $proto == tcpudp -o -z $proto ] { proto=tcp @@ -349,42 +348,40 @@ config_get dest_ip $1 dest_ip config_get dest_port $1 dest_port config_get proto $1 proto - [ -z $src -o -z $dest_ip ] { \ + [ -z $src -o -z $dest_ip ] { echo redirect needs src and dest_ip; return ; } src_port_first=${src_port%-*} src_port_last=${src_port#*-} - [ $src_port_first -ne $src_port_last ] { \ + [ $src_port_first -ne $src_port_last ] { src_port=$src_port_first:$src_port_last; } src_dport_first=${src_dport%-*} src_dport_last=${src_dport#*-} - [ $src_dport_first -ne $src_dport_last ] { \ + [ $src_dport_first -ne $src_dport_last ] { src_dport=$src_dport_first:$src_dport_last; } dest_port2=${dest_port:-$src_dport} dest_port_first=${dest_port2%-*} dest_port_last=${dest_port2#*-} - [ $dest_port_first -ne $dest_port_last ] { \ + [ $dest_port_first -ne $dest_port_last ] { dest_port2=$dest_port_first:$dest_port_last; } add_rule() { - $IPTABLES -A zone_${src}_prerouting -t nat \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_dport:+--dport $src_dport} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} - - $IPTABLES -I zone_${src}_forward 1 \ - ${proto:+-p $proto} \ - -d $dest_ip \ -
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
* Ugur DOGRU udo...@ubicom.com [08.12.2009 13:40]: 1/ hush needs eval to substitute string. 2/ hush doesn't handle line concatenation : \ 3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) Thanks for your work - is there any documentation about 'hush'? i only found some sources ( humble shell 0.01 (testing) ), but ist seems to be interesting. bye, Bastian signature.asc Description: Digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Malte. [...] Maybe you should just add the 50k and use ash instead? As far as I know is hush a requirement of the platform (no mmu) and I think ash does not work on non-mmu + non-fork platforms. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd2scACgkQdputYINPTPN//gCeJk490y55LpSJKQP++wghzZ6K Tv4AniggWzPOQT1RSAdy314bwXyP1TqJ =W339 -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. What about emulating local with something like the following? local() { eval $1=''; } This way you can keep the current scripts and handle the not-implemented local gracefully. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd29IACgkQdputYINPTPND4ACaArek5LSOYNkoNV1FFpmK81lb GzEAn1f9SPvnwPucGRp/Y2PT58WItq7C =rKsF -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Hi, On Tuesday 20 October 2009 17:48:34 Jo-Philipp Wich wrote: Hi. What about emulating local with something like the following? local() { eval $1=''; } This way you can keep the current scripts and handle the not-implemented local gracefully. I definitively prefer that solution, anytime hush makes more progress towards having local variables support or ash finally works on no-mmu systems this hack can be removed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs =eQjM -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Jo-Philipp Wich wrote: The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. /etc/functions.sh would be a better place, imho. I think /etc/profile is not automatically sourced by shell scripts. This function doesn't currently cover all scripts, it needs to handle things like local var=value as well without inserting extra = characters. - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
hi Malte, I forgot to say that, this is for ubicom32 cpu that has no mmu, and other no-mmu cpu's, there is no memory concern. this will not be the end of hush scripts changes, others are on the way. eval may be fishy for ash, i don't know. May be making a global switch mechanism between ash/hush is the solution to isolate different behaviour of shells. regards ugur -Original Message- From: openwrt-devel-boun...@lists.openwrt.org on behalf of Malte S. Stretz Sent: Tue 20.10.2009 16:51 To: OpenWrt Development List Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables On Tuesday 20 October 2009 14:58:49 Ugur DOGRU wrote: This patch is for firewall/iptables. Most of it is to fix some hush script problems. [...] As most other init/hotplug scripts don't work with hush as well, I wonder why you went for the firewall only :) What you fixed are actually not problems in the scripts, but workarounds for hush-limitations and un-localizing variables is prone to breaking some stuff (I fixed one such issue earlier this year). The eval-code you used for assigning variables looks fishy as well but I never worked with hush so maybe PITAresque stuff like this is needed. Maybe you should just add the 50k and use ash instead? Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Good idea. but, not sure that type supported by hush. ugur Jo-Philipp Wich wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The following function supports multiple args like the original local. if ! type local /dev/null; then local() { for _v in $*; do eval $_v=''; done } fi If you add that to /etc/profile (is that supported by hush?) then it should be available system wide, in any script. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd5AoACgkQdputYINPTPP2RwCgjlMDgHn/slP2BbQ+488LpzwN GOIAnik/wOoQCFG7p9m7NXbKd3SZdIIs =eQjM -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] firewall/iptables
Latest busybox version is 1.15.2 and includes local builtin implemented. You can check the following link: http://busybox.net/. As noted, in the present time, hush is a must for nommu processors like we have: ubicom32. Bayram -Original Message- From: openwrt-devel-boun...@lists.openwrt.org on behalf of Florian Fainelli Sent: Tue 10/20/2009 09:03 To: openwrt-devel@lists.openwrt.org Subject: Re: [OpenWrt-Devel] [PATCH] firewall/iptables Hi, On Tuesday 20 October 2009 17:48:34 Jo-Philipp Wich wrote: Hi. What about emulating local with something like the following? local() { eval $1=''; } This way you can keep the current scripts and handle the not-implemented local gracefully. I definitively prefer that solution, anytime hush makes more progress towards having local variables support or ash finally works on no-mmu systems this hack can be removed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel