Re: IPFire 2.29 - Core Update 185 is available for testing

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4909 bytes --]

Hi Nick,

On 25/03/2024 16:49, Nick Howitt wrote:
> I don't have the answer to why it is adding the lines, but can I ask 
> if this scriptlet is safe?
>
> If you have one line and not the other in the file you will end up 
> with three lines, the original plus two new. Also, if someone has 
> preffed the lines off, they will gain two lines preffed on.
>
Good point. If the lines are present with =on or =off then the options 
have been saved and the update code would not be needed.
> Perhaps it is safer to run the tests independently, just checking for 
> ^LOGDROPHOSTILEIN= and ^LOGDROPHOSTILEOUT=
>
> if ! grep "^LOGDROPHOSTILEIN=" /var/ipfire/optionsfw/settings; then
>     sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings
>     /usr/local/bin/firewallctrl
> fi
> if ! grep "^LOGDROPHOSTILEOUT=" /var/ipfire/optionsfw/settings; then
>     sed -i '$ a\LOGDROPHOSTILEOUT=on' /var/ipfire/optionsfw/settings
>     /usr/local/bin/firewallctrl
> fi
>

I will look at making that update.
The only problem is I can't easily test that it solves the problem I 
have found from the update as the original script does not cause the 
same result when I manually run it.

However, definitely want to change the script anyway to make sure that I 
don't end up with both =on and =off fore the same setting which might 
occur if someone has already adjusted their preferences.

I will probably have to submit a patch for the modification and then 
test it in the CU185 Testing release when it is updated.

Regards,
Adolf.
> It does, however, cost another firewall restart, which could be evaded 
> with a few more lines of script.
>
> Regards,
>
> Nick
>
> On 25/03/2024 15:02, Adolf Belka wrote:
>>
>> Hi All,
>>
>> I am having difficulty understanding something that is happening with 
>> the Core Update to 185.
>>
>> I added the following code into the update.sh script
>>
>> # Check if the drop hostile in and out logging options need to be added
>> # into the optionsfw settings file and apply to firewall
>> if ! [ $(grep "LOGDROPHOSTILEIN=on" /var/ipfire/optionsfw/settings) ] 
>> && \
>>     ! [ $(grep "LOGDROPHOSTILEOUT=on" /var/ipfire/optionsfw/settings) 
>> ]; then
>>          sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings
>>          sed -i '$ a\LOGDROPHOSTILEOUT=on' 
>> /var/ipfire/optionsfw/settings
>>          /usr/local/bin/firewallctrl
>> fi
>>
>> If I do an update with a Core Update 183 version that has the 
>> LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries in optionsfw/settings 
>> missing then the update adds in the two lines shown. So working 
>> correctly.
>>
>> However if the Core Update 183 has the two entries already in the 
>> optionsfw/settings file then the above code ends up with two more 
>> copies of each put into the file as following.
>>
>> FWPOLICY=DROP
>> SHOWTABLES=on
>> DROPPROXY=off
>> LOGDROPHOSTILEIN=on
>> LOGDROPHOSTILEOUT=on
>> LOGDROPHOSTILEIN=on
>> LOGDROPHOSTILEOUT=on
>>
>> However if I take a vm with optionsfw/settings containing the two 
>> entries already and run the update code shown above manually via a 
>> script on the vm then it does not add any extra lines in. If the vm 
>> has the two entries missing and I run the script manually then it 
>> adds in one entry for each.
>>
>> So I do not understand at all why the code I put into the update.sh file
>>
>> 1) Does not recognise that the entries already exist in the settings 
>> file.
>> 2) Then prints the entries twice.
>>
>> when it is run in the update.sh via an upgrade.
>>
>> Any help with understanding what is going wrong with the code I wrote 
>> would be very much appreciated.
>>
>> Regards,
>> Adolf.
>>
>> On 25/03/2024 10:15, IPFire Project wrote:
>>> This update is another testing version for IPFire: It comes with the 
>>> brand release of the IPFire IPS, a number of bug fixes across the 
>>> entire system and a good amount of package updates. Test it while 
>>> it's still hot!
>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>
>>>
>>>   IPFire_
>>>
>>>
>>>   IPFire 2.29 - Core Update 185 is available for testing
>>>
>>> This update is another testing version for IPFire: It comes with the 
>>> brand release of the IPFire IPS, a number of bug fixes across the 
>>> entire system and a good amount of package updates. Test it while 
>>> it's still hot!
>>>
>>> Read The Full Post On Our Blog 
>>> <https://www.ipfire.org/blog/ipfire-2-29-core-update-185-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>
>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 
>>> 45711 Datteln, Germany
>>>
>>> Unsubscribe <https://www.ipfire.org/unsubscribe>
>>>

-- 
Sent from my laptop