Bug 8960 - drakfirewall adds lines longer than IFNAMSIZ (15)-1 to /etc/shorewall/interfaces
: drakfirewall adds lines longer than IFNAMSIZ (15)-1 to /etc/shorewall/interfaces
Status: NEW
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: Cauldron
: All Linux
: High Severity: major
: Mageia 6
Assigned To: Mageia tools maintainers
:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-02-04 21:12 CET by Jim Dines
Modified: 2016-12-17 03:30 CET (History)
8 users (show)

See Also:
Source RPM: drakx-net-text-1.18-1.mga3
CVE:
Status comment:


Attachments

Description Jim Dines 2013-02-04 21:12:34 CET
Description of problem:

When you connect to a WiFi network with a long SSID (>=15 Characters) and then configure your firewall it adds a loc entry to /etc/shorewall/interfaces that is too long for shorewall to handle.  It will break shorewall, but drakfirewall will still claim everything is OK :-(

Version-Release number of selected component (if applicable):

Probably every version since drakfirewall was created?

I'm calling it a major/critical issue since drakfirewall doesn't even let the user know his firewall is now down.
Comment 1 Bit Twister 2013-02-05 06:25:51 CET
(In reply to comment #0)

> I'm calling it a major/critical issue since drakfirewall doesn't even let the
> user know his firewall is now down.

I can agree that a status of shorewall should be returned since the default
is no firewall.
That is a poor decision in my opinion because of all the services that are running, not to mention systemd starting services it updates even though you have stopped them.
Comment 2 Thierry Vignaud 2013-02-19 20:24:07 CET
*** Bug 9015 has been marked as a duplicate of this bug. ***
Comment 3 Nic Baxter 2015-02-25 03:43:50 CET
Has this been resolved? 2 years since last comment.
Comment 4 Manuel Hiebel 2015-02-28 00:21:23 CET
looks I can reproduce, and so shorewall don't want to start :(

févr. 28 00:16:09 linux drakfirewall[16709]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
févr. 28 00:16:09 linux drakfirewall[16709]: running: /bin/systemctl --quiet is-active mandi.service
févr. 28 00:16:09 linux drakfirewall[16709]: launched command: killall -s SIGUSR1 net_applet
févr. 28 00:16:09 linux drakfirewall[16709]: ### Program is exiting ###
févr. 28 00:16:09 linux shorewall[16995]: Compiling...
févr. 28 00:16:09 linux shorewall[16995]: Processing /etc/shorewall/params ...
févr. 28 00:16:09 linux shorewall[16995]: Processing /etc/shorewall/shorewall.conf...
févr. 28 00:16:09 linux shorewall[16995]: Loading Modules...
févr. 28 00:16:09 linux shorewall[16995]: Compiling /etc/shorewall/zones...
févr. 28 00:16:09 linux shorewall[16995]: Compiling /etc/shorewall/interfaces...
févr. 28 00:16:10 linux shorewall[16995]: Determining Hosts in Zones...
févr. 28 00:16:10 linux shorewall[16995]: Locating Action Files...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /etc/shorewall/policy...
févr. 28 00:16:10 linux shorewall[16995]: Running /etc/shorewall/initdone...
févr. 28 00:16:10 linux shorewall[16995]: Compiling TCP Flags filtering...
févr. 28 00:16:10 linux shorewall[16995]: Compiling Kernel Route Filtering...
févr. 28 00:16:10 linux shorewall[16995]: Compiling Martian Logging...
févr. 28 00:16:10 linux shorewall[16995]: Compiling MAC Filtration -- Phase 1...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /etc/shorewall/policy...
févr. 28 00:16:10 linux shorewall[16995]: Running /etc/shorewall/initdone...
févr. 28 00:16:10 linux shorewall[16995]: Compiling TCP Flags filtering...
févr. 28 00:16:10 linux shorewall[16995]: Compiling Kernel Route Filtering...
févr. 28 00:16:10 linux shorewall[16995]: Compiling Martian Logging...
févr. 28 00:16:10 linux shorewall[16995]: Compiling MAC Filtration -- Phase 1...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /etc/shorewall/rules...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /etc/shorewall/conntrack...
févr. 28 00:16:10 linux shorewall[16995]: Compiling MAC Filtration -- Phase 2...
févr. 28 00:16:10 linux shorewall[16995]: Applying Policies...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /usr/share/shorewall/action.Drop for chain Drop...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
févr. 28 00:16:10 linux shorewall[16995]: Generating Rule Matrix...
févr. 28 00:16:10 linux shorewall[16995]: Compiling /usr/share/shorewall/action.Reject for chain Reject...
févr. 28 00:16:10 linux shorewall[16995]: Creating iptables-restore input...
févr. 28 00:16:10 linux shorewall[16995]: Shorewall configuration compiled to /var/lib/shorewall/.start
févr. 28 00:16:10 linux shorewall[16995]: Starting Shorewall....
févr. 28 00:16:10 linux shorewall[16995]: Initializing...
févr. 28 00:16:10 linux shorewall[16995]: Processing /etc/shorewall/init ...
févr. 28 00:16:10 linux shorewall[16995]: Processing /etc/shorewall/tcclear ...
févr. 28 00:16:10 linux shorewall[16995]: Setting up Route Filtering...
févr. 28 00:16:10 linux shorewall[16995]: Setting up Martian Logging...
févr. 28 00:16:10 linux shorewall[16995]: Setting up Proxy ARP...
févr. 28 00:16:10 linux shorewall[16995]: Preparing iptables-restore input...
févr. 28 00:16:10 linux shorewall[16995]: Running /sbin/iptables-restore...
févr. 28 00:16:10 linux shorewall[16995]: iptables-restore v1.4.21: interface name `Auto_freebox_WDURIO' must be shorter than IFNAMSIZ (15)
févr. 28 00:16:10 linux shorewall[16995]: Error occurred at line: 88
févr. 28 00:16:10 linux shorewall[16995]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
févr. 28 00:16:10 linux shorewall[16995]: ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
févr. 28 00:16:10 linux logger[17228]: ERROR:Shorewall start failed
févr. 28 00:16:10 linux shorewall[16995]: Processing /etc/shorewall/stop ...
févr. 28 00:16:10 linux shorewall[16995]: iptables v1.4.21: Couldn't load target `Ifw':No such file or directory
févr. 28 00:16:10 linux shorewall[16995]: Try `iptables -h' or 'iptables --help' for more information.
févr. 28 00:16:10 linux shorewall[16995]: iptables: No chain/target/match by that name.
févr. 28 00:16:10 linux shorewall[16995]: iptables: No chain/target/match by that name.
févr. 28 00:16:10 linux shorewall[16995]: ipset v6.24: The set with the given name does not exist
févr. 28 00:16:10 linux shorewall[16995]: ipset v6.24: The set with the given name does not exist
févr. 28 00:16:10 linux shorewall[16995]: Processing /etc/shorewall/tcclear ...
févr. 28 00:16:10 linux shorewall[16995]: Running /sbin/iptables-restore...
févr. 28 00:16:10 linux shorewall[16995]: Processing /etc/shorewall/stopped ...
févr. 28 00:16:10 linux logger[17255]: Shorewall Stopped
févr. 28 00:16:10 linux shorewall[16995]: /usr/share/shorewall/lib.common : ligne 113 : 17183 Complété              $SHOREWALL_SHELL $script $options $@
févr. 28 00:16:10 linux systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a
févr. 28 00:16:10 linux systemd[1]: Failed to start Shorewall IPv4 firewall.
Comment 5 Manuel Hiebel 2015-02-28 00:23:39 CET
and using nm which add auto_ to my ssid freebox_wdurio
Comment 6 Manuel Hiebel 2015-02-28 00:29:35 CET
in fact nm create /etc/sysconfig/network-scripts/ifcfg-Auto_freebox_wdurio
and drakfirewall think it is an interface (or it is one for networkmanager world ?)
Comment 7 Manuel Hiebel 2015-02-28 00:58:16 CET
if I remove the ifcfg file everything seems to work
Comment 8 Curtis Hildebrand 2016-10-12 08:07:21 CEST
I just realized I was bitten by this bug again.

To recap (using my situation as an example if I get this right):
- On my laptop, I connected to a wifi at a local brewery.  I'm using NetworkManager, but draknet is still configured.

- The SSID is longer than 15 characters ("Field House Brewing - Public").

- files are created in /etc/sysconfig/network-scripts
    "ifcfg-Auto_Field_House_Brewing_-_Public"
    "keys-ifcfg-Auto_Field_House_Brewing_-_Public"

- drakfirewall adds an entry to /etc/shorewall/interfaces
     Auto_Field_House_Brewing_-_Public

- shorewall restarts resulting in the SILENT error (only shows on the commandline)
     iptables-restore v1.6.0: interface name `Auto_Field_House_Brewing_-_Public' must be shorter than IFNAMSIZ (15)

- Since there was no error, the user continues working with NO FIREWALL!


My workaround (not sure if all the steps are needed):
- shorten all NetworkManager WiFi names that are longer than 15 characters
    #nmcli con show   (to get the list of saved settings)
- rename all the ifcg-* files to match the NM names with "ifcfg-" at the beginning
- rename the keys-* files to match the ifcfg-* files
- run drakfirewall.  I'm able to just click OK through all the options.
- test the firewall settings with "shorewall show" on the cmd line
- if needed, run "shorewall restart"


Seems like a pretty serious security issue to silently leave a user hanging with a wide open network connection (no firewall).
Comment 9 Mika Laitio 2016-12-17 03:30:55 CET
Having been hitten by this bug also a couple of time. For example the free access points in some airports are over 15 char... Once you have those long access point names listed on /etc/shoreline/interfaces, shoreline will fail to start silently.

Note You need to log in before you can comment on or make changes to this bug.