Bug #2923

Lokkit: missing port range support for network services

Added by Giacomo Sanchietti almost 7 years ago. Updated almost 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-base
Target version:v6.5
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

After implementation of #2895, port ranges are not supported for the base implementation of firewall (lokkit).

Steps to reproduce
  • Create a service with a port range:
    config set myservice service TCPPorts 1000-2000 status enabled access public
    config set myservice2 service TCPPorts 1000-2000 status enabled access private
    
  • Apply firewall configuration:
    signal-event firewall-adjust
    
  • Iptables rules are not applied

Workaround

Create a template-custom like this:

--- /etc/e-smith/templates/etc/sysconfig/ipv4_services_custom/20services    2014-10-17 16:11:25.000000000 +0000
+++ /etc/e-smith/templates-custom/etc/sysconfig/ipv4_services_custom/20services    2014-10-21 15:02:34.043975054 +0000
@@ -27,6 +27,7 @@
             }
             $OUT.="#\tService: ".$serviceRecord->key."\n"; 
             foreach my $port (split(',', $tcpPorts)) {
+                $port =~ s/\-/:/g;
                 # generate rules for green and trusted networks
                 if ($access eq 'private') {
                     foreach (@trusted) {
@@ -42,6 +43,7 @@
                 }
             }
             foreach my $port (split(',', $udpPorts)) {
+                $port =~ s/\-/:/g;
                 # generate rules for green and trusted networks
                 if ($access eq 'private') {


Related issues

Related to NethServer 6 - Enhancement #2895: Network services: refactor web interface CLOSED

Associated revisions

Revision 06c5c64f
Added by Giacomo Sanchietti almost 7 years ago

lokkit: add support for range port. Refs #2923

History

#1 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 7 years ago

#3 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 7 years ago

  • Description updated (diff)

#5 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
In nethserver-testing:
  • nethserver-base-2.5.1-1.0git06c5c64f.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible

#7 Updated by Davide Principi almost 7 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi almost 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

[root@davidep2 ~]# config set fw_myservice service TCPPorts 1000-2000 status enabled access public
[root@davidep2 ~]# config set fw_myservice2 service TCPPorts 2001-3000 status enabled access private
[root@davidep2 ~]# signal-event firewall-adjust 
[root@davidep2 ~]# echo $?
0
[root@davidep2 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW udp dpt:123 
    0     0 ACCEPT     tcp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW tcp dpts:2001:3000 
    0     0 ACCEPT     udp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW udp dpt:69 
    0     0 ACCEPT     udp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW udp dpt:67 
    0     0 ACCEPT     udp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       192.168.8.0/24       0.0.0.0/0           state NEW tcp dpt:53 
   29  2180 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:1000:2000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:980 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 16 packets, 2064 bytes)
 pkts bytes target     prot opt in     out     source               destination

#9 Updated by Davide Principi almost 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-base-2.5.2-1.ns6.noarch.rpm

Also available in: Atom PDF