From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IPFire 2.29 - Core Update 185 is available for testing Date: Tue, 26 Mar 2024 10:55:12 +0000 Message-ID: In-Reply-To: <01a9d3fb-91da-44a0-a322-b5be135ab797@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3704929149948504391==" List-Id: --===============3704929149948504391== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello everyone, I am not entirely sure what corner-case we are talking about here, but I ran = the code twice on a test system to see if it actually does what it is suppose= d to do. I felt it did. But is it pretty? Not quite, so let=E2=80=99s dive into a little bit of shell= :) > On 25 Mar 2024, at 16:29, Adolf Belka wrote: >=20 > Hi Nick, >=20 > On 25/03/2024 16:49, Nick Howitt wrote: >> I don't have the answer to why it is adding the lines, but can I ask if th= is scriptlet is safe? >>=20 >> If you have one line and not the other in the file you will end up with th= ree lines, the original plus two new. Also, if someone has preffed the lines = off, they will gain two lines preffed on. >>=20 > Good point. If the lines are present with =3Don or =3Doff then the options = have been saved and the update code would not be needed. >> Perhaps it is safer to run the tests independently, just checking for ^LOG= DROPHOSTILEIN=3D and ^LOGDROPHOSTILEOUT=3D >>=20 >> if ! grep "^LOGDROPHOSTILEIN=3D" /var/ipfire/optionsfw/settings; then >> sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >> /usr/local/bin/firewallctrl >> fi >> if ! grep "^LOGDROPHOSTILEOUT=3D" /var/ipfire/optionsfw/settings; then >> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >> /usr/local/bin/firewallctrl >> fi >>=20 This is probably the cleanest version that we have seen here. Formerly the if statement looked like this: >>> if ! [ $(grep "LOGDROPHOSTILEIN=3Don" /var/ipfire/optionsfw/settings) ] This will run a sub shell $(=E2=80=A6) with grep in it which is not necessary= since if alone can determine the exit code of a command. >> if ! grep "^LOGDROPHOSTILEIN=3D" /var/ipfire/optionsfw/settings; then So this eliminates the sub shell, a couple of brackets and dollar signs and i= s a lot easier to read. >> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings This could have simply been an echo: echo "LOGDROPHOSTILEOUT=3Don=E2=80=9D >> /var/ipfire/optionsfw/settings That would even be executed by the shell without forking any subprocesses and= therefore be the fastest option. Not very important if there is only two str= ings to write, but sometimes there are loops that are being called thousands = of times=E2=80=A6 You are going to save a lot of time and will also have easi= er code to read. Reloading the firewall once would have been fine for me, even if there have b= een no changes whatsoever. > I will look at making that update. > The only problem is I can't easily test that it solves the problem I have f= ound from the update as the original script does not cause the same result wh= en I manually run it. >=20 > However, definitely want to change the script anyway to make sure that I do= n't end up with both =3Don and =3Doff fore the same setting which might occur= if someone has already adjusted their preferences. >=20 > I will probably have to submit a patch for the modification and then test i= t in the CU185 Testing release when it is updated. Thank you. I will merge it shortly. -Michael >=20 > Regards, > Adolf. >> It does, however, cost another firewall restart, which could be evaded wit= h a few more lines of script. >>=20 >> Regards, >>=20 >> Nick >>=20 >> On 25/03/2024 15:02, Adolf Belka wrote: >>>=20 >>> Hi All, >>>=20 >>> I am having difficulty understanding something that is happening with the= Core Update to 185. >>>=20 >>> I added the following code into the update.sh script >>>=20 >>> # Check if the drop hostile in and out logging options need to be added >>> # into the optionsfw settings file and apply to firewall >>> if ! [ $(grep "LOGDROPHOSTILEIN=3Don" /var/ipfire/optionsfw/settings) ] &= & \ >>> ! [ $(grep "LOGDROPHOSTILEOUT=3Don" /var/ipfire/optionsfw/settings) ]= ; then >>> sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >>> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settin= gs >>> /usr/local/bin/firewallctrl >>> fi >>>=20 >>> If I do an update with a Core Update 183 version that has the LOGDROPHOST= ILEIN and LOGDROPHOSTILEOUT entries in optionsfw/settings missing then the up= date adds in the two lines shown. So working correctly. >>>=20 >>> However if the Core Update 183 has the two entries already in the options= fw/settings file then the above code ends up with two more copies of each put= into the file as following. >>>=20 >>> FWPOLICY=3DDROP >>> SHOWTABLES=3Don >>> DROPPROXY=3Doff >>> LOGDROPHOSTILEIN=3Don >>> LOGDROPHOSTILEOUT=3Don >>> LOGDROPHOSTILEIN=3Don >>> LOGDROPHOSTILEOUT=3Don >>>=20 >>> However if I take a vm with optionsfw/settings containing the two entries= already and run the update code shown above manually via a script on the vm = then it does not add any extra lines in. If the vm has the two entries missin= g and I run the script manually then it adds in one entry for each. >>>=20 >>> So I do not understand at all why the code I put into the update.sh file >>>=20 >>> 1) Does not recognise that the entries already exist in the settings file. >>> 2) Then prints the entries twice. >>>=20 >>> when it is run in the update.sh via an upgrade. >>>=20 >>> Any help with understanding what is going wrong with the code I wrote wou= ld be very much appreciated. >>>=20 >>> Regards, >>> Adolf. >>>=20 >>> On 25/03/2024 10:15, IPFire Project wrote: >>>> This update is another testing version for IPFire: It comes with the bra= nd release of the IPFire IPS, a number of bug fixes across the entire system = and a good amount of package updates. Test it while it's still hot! >>>> =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C = =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80= =8C =E2=80=8C =E2=80=8C =E2=80=8C >>>>=20 >>>>=20 >>>> IPFire_ >>>>=20 >>>>=20 >>>> IPFire 2.29 - Core Update 185 is available for testing >>>>=20 >>>> This update is another testing version for IPFire: It comes with the bra= nd release of the IPFire IPS, a number of bug fixes across the entire system = and a good amount of package updates. Test it while it's still hot! >>>>=20 >>>> Read The Full Post On Our Blog >>>>=20 >>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstra=C3=9Fe 8, = 45711 Datteln, Germany >>>>=20 >>>> Unsubscribe >>>>=20 >=20 > --=20 > Sent from my laptop --===============3704929149948504391==--