Date: Fri, 14 Dec 2001 01:00:02 -0800 (PST)
From: Ruslan Ermilov <ru@FreeBSD.org>
To: freebsd-bugs@FreeBSD.org
Subject: Re: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error
Message-ID: <200112140900.fBE902R96251@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/32822; it has been noted by GNATS.
From: Ruslan Ermilov <ru@FreeBSD.org>
To: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error
Date: Fri, 14 Dec 2001 10:50:57 +0200
On Fri, Dec 14, 2001 at 10:36:54AM +0900, NAKAJI Hiroyuki wrote:
>
> In daily mails from root, I see
>
> Checking for passwordless accounts:
> [: : out of range
> [: : out of range
>
> And checked the scripts in /etc/periodic/security to find which
> one says 'out of range'. They are 550.ipfwlimit and
> 650.ip6fwlimit.
>
> They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and
> compare it with 0. But on my current system, the variables are
> both null strings because kernel does not have
> "options IPFIREWALL" nor "options IPV6FIREWALL",
> so that the 'test' fail.
>
> >How-To-Repeat:
>
> /bin/sh -x /etc/periodic/550.ipfwlimit
> [snip]
> + sysctl -n net.inet.ip.fw.verbose_limit
> + IPFW_LOG_LIMIT=
> + [ 1 -eq 0 -a -ne 0 ]
> [: : out of range
>
> /bin/sh -x /etc/periodic/650.ip6fwlimit
> [snip]
> + sysctl -n net.inet6.ip6.fw.verbose_limit
> + IP6FW_LOG_LIMIT=
> + [ 1 -eq 0 -a -ne 0 ]
> [: : out of range
>
>
> >Fix:
>
> If you don't have net.inet.ip.fw.verbose_limit or
> net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT}
> and ${IP6FW_LOG_LIMIT} should be 0.
>
> Here is a diff.
>
Yeah, this is a nasty "feature" of test(1)'s "-a" operator;
In the following expression, "expression1 -a expression2",
expression2 is executed even if expression1 is false.
The correct fix would be:
Index: 550.ipfwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v
retrieving revision 1.1
diff -u -r1.1 550.ipfwlimit
--- 550.ipfwlimit 2001/12/07 23:57:38 1.1
+++ 550.ipfwlimit 2001/12/14 08:52:43
@@ -44,7 +44,7 @@
case "$daily_status_security_ipfwlimit_enable" in
[Yy][Ee][Ss])
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
- if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
+ if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
ipfw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
if [ -s "${TMP}" ]; then
Index: 650.ip6fwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v
retrieving revision 1.1
diff -u -r1.1 650.ip6fwlimit
--- 650.ip6fwlimit 2001/12/07 23:57:38 1.1
+++ 650.ip6fwlimit 2001/12/14 08:52:43
@@ -44,7 +44,7 @@
case "$daily_status_security_ip6fwlimit_enable" in
[Yy][Ee][Ss])
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
- if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
+ if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
ip6fw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
if [ -s "${TMP}" ]; then
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112140900.fBE902R96251>