From owner-freebsd-bugs Fri Dec 14 1: 0:12 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0F37837B416 for ; Fri, 14 Dec 2001 01:00:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBE902R96251; Fri, 14 Dec 2001 01:00:02 -0800 (PST) (envelope-from gnats) Date: Fri, 14 Dec 2001 01:00:02 -0800 (PST) Message-Id: <200112140900.fBE902R96251@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Ruslan Ermilov Subject: Re: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error Reply-To: Ruslan Ermilov Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/32822; it has been noted by GNATS. From: Ruslan Ermilov To: NAKAJI Hiroyuki Cc: bug-followup@FreeBSD.org Subject: Re: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error Date: Fri, 14 Dec 2001 10:50:57 +0200 On Fri, Dec 14, 2001 at 10:36:54AM +0900, NAKAJI Hiroyuki wrote: > > In daily mails from root, I see > > Checking for passwordless accounts: > [: : out of range > [: : out of range > > And checked the scripts in /etc/periodic/security to find which > one says 'out of range'. They are 550.ipfwlimit and > 650.ip6fwlimit. > > They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and > compare it with 0. But on my current system, the variables are > both null strings because kernel does not have > "options IPFIREWALL" nor "options IPV6FIREWALL", > so that the 'test' fail. > > >How-To-Repeat: > > /bin/sh -x /etc/periodic/550.ipfwlimit > [snip] > + sysctl -n net.inet.ip.fw.verbose_limit > + IPFW_LOG_LIMIT= > + [ 1 -eq 0 -a -ne 0 ] > [: : out of range > > /bin/sh -x /etc/periodic/650.ip6fwlimit > [snip] > + sysctl -n net.inet6.ip6.fw.verbose_limit > + IP6FW_LOG_LIMIT= > + [ 1 -eq 0 -a -ne 0 ] > [: : out of range > > > >Fix: > > If you don't have net.inet.ip.fw.verbose_limit or > net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT} > and ${IP6FW_LOG_LIMIT} should be 0. > > Here is a diff. > Yeah, this is a nasty "feature" of test(1)'s "-a" operator; In the following expression, "expression1 -a expression2", expression2 is executed even if expression1 is false. The correct fix would be: Index: 550.ipfwlimit =================================================================== RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v retrieving revision 1.1 diff -u -r1.1 550.ipfwlimit --- 550.ipfwlimit 2001/12/07 23:57:38 1.1 +++ 550.ipfwlimit 2001/12/14 08:52:43 @@ -44,7 +44,7 @@ case "$daily_status_security_ipfwlimit_enable" in [Yy][Ee][Ss]) IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` - if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then + if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then ipfw -a l | grep " log " | perl -n -e \ '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} if [ -s "${TMP}" ]; then Index: 650.ip6fwlimit =================================================================== RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v retrieving revision 1.1 diff -u -r1.1 650.ip6fwlimit --- 650.ip6fwlimit 2001/12/07 23:57:38 1.1 +++ 650.ip6fwlimit 2001/12/14 08:52:43 @@ -44,7 +44,7 @@ case "$daily_status_security_ip6fwlimit_enable" in [Yy][Ee][Ss]) IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` - if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then + if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then ip6fw -a l | grep " log " | perl -n -e \ '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} if [ -s "${TMP}" ]; then Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message