Bug #2923
Lokkit: missing port range support for network services
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-base | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5 | NEEDINFO: | No |
Description
After implementation of #2895, port ranges are not supported for the base implementation of firewall (lokkit).
Steps to reproduce- Create a service with a port range:
config set myservice service TCPPorts 1000-2000 status enabled access public config set myservice2 service TCPPorts 1000-2000 status enabled access private
- Apply firewall configuration:
signal-event firewall-adjust
- Iptables rules are not applied
Workaround
Create a template-custom like this:
--- /etc/e-smith/templates/etc/sysconfig/ipv4_services_custom/20services 2014-10-17 16:11:25.000000000 +0000 +++ /etc/e-smith/templates-custom/etc/sysconfig/ipv4_services_custom/20services 2014-10-21 15:02:34.043975054 +0000 @@ -27,6 +27,7 @@ } $OUT.="#\tService: ".$serviceRecord->key."\n"; foreach my $port (split(',', $tcpPorts)) { + $port =~ s/\-/:/g; # generate rules for green and trusted networks if ($access eq 'private') { foreach (@trusted) { @@ -42,6 +43,7 @@ } } foreach my $port (split(',', $udpPorts)) { + $port =~ s/\-/:/g; # generate rules for green and trusted networks if ($access eq 'private') {
Related issues
Associated revisions
lokkit: add support for range port. Refs #2923
History
#1 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti almost 7 years ago
- Related to Enhancement #2895: Network services: refactor web interface added
#3 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti almost 7 years ago
- Description updated (diff)
#5 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
In nethserver-testing:
- nethserver-base-2.5.1-1.0git06c5c64f.ns6.noarch.rpm
- Check the bug is not reproducible
#7 Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#8 Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
[root@davidep2 ~]# config set fw_myservice service TCPPorts 1000-2000 status enabled access public [root@davidep2 ~]# config set fw_myservice2 service TCPPorts 2001-3000 status enabled access private [root@davidep2 ~]# signal-event firewall-adjust [root@davidep2 ~]# echo $? 0 [root@davidep2 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT tcp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW tcp dpts:2001:3000 0 0 ACCEPT udp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW udp dpt:69 0 0 ACCEPT udp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW udp dpt:67 0 0 ACCEPT udp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 192.168.8.0/24 0.0.0.0/0 state NEW tcp dpt:53 29 2180 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1000:2000 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 16 packets, 2064 bytes) pkts bytes target prot opt in out source destination
#9 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-base-2.5.2-1.ns6.noarch.rpm