"interfaces not started (yet?)" not true about aif HOT 15 CLOSED

Did you try running it manually from the commandline as well? And mind
posting the output of 'ifconfig' ?

a.

On 01-Dec-13 15:04, arjhun wrote:

I started getting an error when starting my firewall.

Arno's Iptables Firewall Script v2.0.0c

Platform: Linux 3.8.0-32-generic i686
WARNING: External interface eth0 does NOT exist (yet?)
WARNING: External interface tun0 does NOT exist (yet?)

|
|

My interfaces are are up and running.

When I isolate the check_interfaces and run a simple test it returns 1
not 0.

When I check

|sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 |grep check_interface
|

it shows

|+ check_interface eth0

• check_interface tun0
  |

here is my full verbose output of a restart:

[40m[1;32mArno's Iptables Firewall Script v2.0.0c[0m

Platform: Linux 3.8.0-32-generic i686
[40m[1;31mWARNING: External interface tun0 does NOT exist (yet?)[0m
Stopping (user) plugins...
SSH Brute-Force Protection plugin v1.1a
Checking/probing Iptables modules:
Loaded kernel module ip_tables.
Loaded kernel module nf_conntrack.
Loaded kernel module nf_conntrack_ftp.
Loaded kernel module xt_conntrack.
Loaded kernel module xt_limit.
Loaded kernel module xt_state.
Loaded kernel module xt_multiport.
Loaded kernel module iptable_filter.
Loaded kernel module iptable_mangle.
Loaded kernel module ipt_REJECT.
Loaded kernel module ipt_LOG.
Loaded kernel module xt_TCPMSS.
Loaded kernel module xt_DSCP.
Loaded kernel module iptable_nat.
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring general kernel parameters:
Setting the max. amount of simultaneous connections to 16384
Configuring kernel parameters:
Disabling send redirects
Enabling protection against source routed packets
Enabling packet forwarding
Setting some kernel performance options
Enabling reduction of the DoS'ing ability
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling kernel support for dynamic IPs
Enabling PMTU discovery
Flushing route table
Kernel setup done...
Initializing firewall chains
Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd

Setting up firewall rules:

Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
SSH Brute-Force Protection plugin v1.1a
Loaded kernel module xt_recent.
Allowing bypass of SSH protection checks for: malevich
Protecting TCP port(s): 22
Loaded 1 plugin(s)...
Setting up external(INET) INPUT policy
Logging of ICMP flooding enabled
Enabling support for DHCP-assigned-IP (DHCP client)
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing ANYHOST for TCP port(s): 80
Allowing ANYHOST for TCP port(s): 21
Allowing ANYHOST for TCP port(s): 22
Allowing ANYHOST for TCP port(s): 1194
Allowing ANYHOST for TCP port(s): 8112
Allowing ANYHOST for TCP port(s): 4040
Allowing ANYHOST for TCP port(s): 10000
Allowing ANYHOST for TCP port(s): 53
Allowing ANYHOST for TCP port(s): 137
Allowing ANYHOST for TCP port(s): 138
Allowing ANYHOST for TCP port(s): 139
Allowing ANYHOST for TCP port(s): 443
Allowing ANYHOST for TCP port(s): 445
Allowing ANYHOST for TCP port(s): 631
Allowing ANYHOST for TCP port(s): 58846
Allowing ANYHOST for TCP port(s): 873
Allowing ANYHOST for TCP port(s): 17500
Allowing ANYHOST for TCP port(s): 6566
Allowing ANYHOST for TCP port(s): 50000:50200
Allowing ANYHOST for TCP port(s): 8094
Allowing ANYHOST for TCP port(s): 4444
Allowing ANYHOST for TCP port(s): 23423
Allowing ANYHOST for TCP port(s): 8895
Allowing ANYHOST for TCP port(s): 8228
Allowing ANYHOST for UDP port(s): 80
Allowing ANYHOST for UDP port(s): 21
Allowing ANYHOST for UDP port(s): 22
Allowing ANYHOST for UDP port(s): 1194
Allowing ANYHOST for UDP port(s): 8112
Allowing ANYHOST for UDP port(s): 4040
Allowing ANYHOST for UDP port(s): 10000
Allowing ANYHOST for UDP port(s): 53
Allowing ANYHOST for UDP port(s): 137
Allowing ANYHOST for UDP port(s): 138
Allowing ANYHOST for UDP port(s): 139
Allowing ANYHOST for UDP port(s): 443
Allowing ANYHOST for UDP port(s): 445
Allowing ANYHOST for UDP port(s): 631
Allowing ANYHOST for UDP port(s): 58846
Allowing ANYHOST for UDP port(s): 873
Allowing ANYHOST for UDP port(s): 17500
Allowing ANYHOST for UDP port(s): 6566
Allowing ANYHOST for UDP port(s): 50000:50200
Allowing ANYHOST for UDP port(s): 8094
Allowing ANYHOST for UDP port(s): 4444
Allowing ANYHOST for UDP port(s): 1900
Allowing ANYHOST for UDP port(s): 8228
Allowing ANYHOST to send IPv4 ICMP-requests (ping)
Logging of possible stealth scans enabled
Logging of (other) packets to PRIVILEGED TCP ports enabled
Logging of (other) packets to PRIVILEGED UDP ports enabled
Logging of (other) packets to UNPRIVILEGED TCP ports enabled
Logging of (other) packets to UNPRIVILEGED UDP ports enabled
Logging of IGMP packets enabled
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: eth0 (without an external subnet specified)
Applying external(INET) policy to interface: tun0 (without an external subnet specified)
Security is LOOSENED for external interface(s) in the FORWARD chain!
Logging of dropped FORWARD packets enabled

Dec 01 15:03:04 [40m[1;32mAll firewall rules applied.[0m

|
|

—
Reply to this email directly or view it on GitHub
#5.

Arno van Amersfoort
E-mail : [email protected]

Donations are welcome through Paypal!

Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl

from aif.

Oh and please provide the output of "ip -o link show" as well.

a.

On 01-Dec-13 15:04, arjhun wrote:

I started getting an error when starting my firewall.

Arno's Iptables Firewall Script v2.0.0c

Platform: Linux 3.8.0-32-generic i686
WARNING: External interface eth0 does NOT exist (yet?)
WARNING: External interface tun0 does NOT exist (yet?)

|
|

My interfaces are are up and running.

When I isolate the check_interfaces and run a simple test it returns 1
not 0.

When I check

|sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 |grep check_interface
|

it shows

|+ check_interface eth0

• check_interface tun0
  |

here is my full verbose output of a restart:

[40m[1;32mArno's Iptables Firewall Script v2.0.0c[0m

Platform: Linux 3.8.0-32-generic i686
[40m[1;31mWARNING: External interface tun0 does NOT exist (yet?)[0m
Stopping (user) plugins...
SSH Brute-Force Protection plugin v1.1a
Checking/probing Iptables modules:
Loaded kernel module ip_tables.
Loaded kernel module nf_conntrack.
Loaded kernel module nf_conntrack_ftp.
Loaded kernel module xt_conntrack.
Loaded kernel module xt_limit.
Loaded kernel module xt_state.
Loaded kernel module xt_multiport.
Loaded kernel module iptable_filter.
Loaded kernel module iptable_mangle.
Loaded kernel module ipt_REJECT.
Loaded kernel module ipt_LOG.
Loaded kernel module xt_TCPMSS.
Loaded kernel module xt_DSCP.
Loaded kernel module iptable_nat.
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring general kernel parameters:
Setting the max. amount of simultaneous connections to 16384
Configuring kernel parameters:
Disabling send redirects
Enabling protection against source routed packets
Enabling packet forwarding
Setting some kernel performance options
Enabling reduction of the DoS'ing ability
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling kernel support for dynamic IPs
Enabling PMTU discovery
Flushing route table
Kernel setup done...
Initializing firewall chains
Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd

Setting up firewall rules:

Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
SSH Brute-Force Protection plugin v1.1a
Loaded kernel module xt_recent.
Allowing bypass of SSH protection checks for: malevich
Protecting TCP port(s): 22
Loaded 1 plugin(s)...
Setting up external(INET) INPUT policy
Logging of ICMP flooding enabled
Enabling support for DHCP-assigned-IP (DHCP client)
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing ANYHOST for TCP port(s): 80
Allowing ANYHOST for TCP port(s): 21
Allowing ANYHOST for TCP port(s): 22
Allowing ANYHOST for TCP port(s): 1194
Allowing ANYHOST for TCP port(s): 8112
Allowing ANYHOST for TCP port(s): 4040
Allowing ANYHOST for TCP port(s): 10000
Allowing ANYHOST for TCP port(s): 53
Allowing ANYHOST for TCP port(s): 137
Allowing ANYHOST for TCP port(s): 138
Allowing ANYHOST for TCP port(s): 139
Allowing ANYHOST for TCP port(s): 443
Allowing ANYHOST for TCP port(s): 445
Allowing ANYHOST for TCP port(s): 631
Allowing ANYHOST for TCP port(s): 58846
Allowing ANYHOST for TCP port(s): 873
Allowing ANYHOST for TCP port(s): 17500
Allowing ANYHOST for TCP port(s): 6566
Allowing ANYHOST for TCP port(s): 50000:50200
Allowing ANYHOST for TCP port(s): 8094
Allowing ANYHOST for TCP port(s): 4444
Allowing ANYHOST for TCP port(s): 23423
Allowing ANYHOST for TCP port(s): 8895
Allowing ANYHOST for TCP port(s): 8228
Allowing ANYHOST for UDP port(s): 80
Allowing ANYHOST for UDP port(s): 21
Allowing ANYHOST for UDP port(s): 22
Allowing ANYHOST for UDP port(s): 1194
Allowing ANYHOST for UDP port(s): 8112
Allowing ANYHOST for UDP port(s): 4040
Allowing ANYHOST for UDP port(s): 10000
Allowing ANYHOST for UDP port(s): 53
Allowing ANYHOST for UDP port(s): 137
Allowing ANYHOST for UDP port(s): 138
Allowing ANYHOST for UDP port(s): 139
Allowing ANYHOST for UDP port(s): 443
Allowing ANYHOST for UDP port(s): 445
Allowing ANYHOST for UDP port(s): 631
Allowing ANYHOST for UDP port(s): 58846
Allowing ANYHOST for UDP port(s): 873
Allowing ANYHOST for UDP port(s): 17500
Allowing ANYHOST for UDP port(s): 6566
Allowing ANYHOST for UDP port(s): 50000:50200
Allowing ANYHOST for UDP port(s): 8094
Allowing ANYHOST for UDP port(s): 4444
Allowing ANYHOST for UDP port(s): 1900
Allowing ANYHOST for UDP port(s): 8228
Allowing ANYHOST to send IPv4 ICMP-requests (ping)
Logging of possible stealth scans enabled
Logging of (other) packets to PRIVILEGED TCP ports enabled
Logging of (other) packets to PRIVILEGED UDP ports enabled
Logging of (other) packets to UNPRIVILEGED TCP ports enabled
Logging of (other) packets to UNPRIVILEGED UDP ports enabled
Logging of IGMP packets enabled
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: eth0 (without an external subnet specified)
Applying external(INET) policy to interface: tun0 (without an external subnet specified)
Security is LOOSENED for external interface(s) in the FORWARD chain!
Logging of dropped FORWARD packets enabled

Dec 01 15:03:04 [40m[1;32mAll firewall rules applied.[0m

|
|

—
Reply to this email directly or view it on GitHub
#5.

Arno van Amersfoort
E-mail : [email protected]

Donations are welcome through Paypal!

Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl

from aif.

Hi Arno,

I added ifconfig to the 'check_interface' function in 'eviroment'.

arjen@giver:~$ sudo arno-iptables-firewall start
Arno's Iptables Firewall Script v2.0.0c
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
eth0      Link encap:Ethernet  HWaddr 1c:6f:65:b7:fb:6e
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::1e6f:65ff:feb7:fb6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69541107 errors:0 dropped:226 overruns:0 frame:0
          TX packets:91859856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54367631337 (54.3 GB)  TX bytes:98703534341 (98.7 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:673687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:673687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:788507850 (788.5 MB)  TX bytes:788507850 (788.5 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:230253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423596 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14072643 (14.0 MB)  TX bytes:497868696 (497.8 MB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.23.0.18  P-t-P:172.23.0.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26544 errors:0 dropped:155 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3803462 (3.8 MB)

WARNING: External interface eth0 does NOT exist (yet?)
eth0      Link encap:Ethernet  HWaddr 1c:6f:65:b7:fb:6e
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::1e6f:65ff:feb7:fb6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69541109 errors:0 dropped:226 overruns:0 frame:0
          TX packets:91859860 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54367631538 (54.3 GB)  TX bytes:98703537907 (98.7 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:673687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:673687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:788507850 (788.5 MB)  TX bytes:788507850 (788.5 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:230254 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423607 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14072683 (14.0 MB)  TX bytes:497872440 (497.8 MB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.23.0.18  P-t-P:172.23.0.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26544 errors:0 dropped:155 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3803462 (3.8 MB)

WARNING: External interface tun0 does NOT exist (yet?)
Checking/probing Iptables modules:
 Loaded kernel module ip_tables.

...

Dec 01 22:17:28 All firewall rules applied.

And here is the output of ip -o link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN \    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000\    link/ether 1c:6f:65:b7:fb:6e brd ff:ff:ff:ff:ff:ff
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100\    link/none
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100\    link/none

I'm at a loss here. I don't even know if this message will effect code execution down the line, thanks in advance....

Arjen Klaverstijn

from aif.

The WARNING: is only that, but clearly something is not correct...

For completeness, what is the output of:

ip -o link show | cut -d':' -f2

We previously have seen situations like this where a bug in coreutils (seq) caused an issue.

Lonnie

from aif.

Oke so I thought I'd found the problem. The result of the cut command (but also awk -F '[:]' '{print $2}' ) resulted into lines with a leading whitespace:

 lo
 eth0
 tun0
 tun1

so I first piped the ip -o command through tr -d ' ' that seemingly resulted in clean lines, changed it in code, but to no avail :-(

from aif.

That output looks fine, the leading space is expected. What is your default shell ?

ls -l /bin/sh

-and try-

interface="tun0" ; echo "${interface%@*}"
(should be: tun0)

from aif.

it returned tun0

$ ls -l /bin/sh 

/bin/sh -> dash

output of that function, obviously local_interfaces are empty, the problem must be within the trace or ip wrapper functions

+ echo 'Dec 02 19:23:16 ** Restarting Arno'\''s Iptables Firewall v2.0.0c **'
+ echo '** Restarting Arno'\''s Iptables Firewall v2.0.0c **'
+ logger -t firewall -p kern.info
+ start_restart
++ uname -s -r -m
+ echo 'Platform: Linux 3.8.0-32-generic i686'
+ config_check
+ '[' -z 'eth0 tun0' ']'
+ IFS=' ,'
+ for interface in '$EXT_IF'
+ check_interface eth0
+ local interface 'IFS= '
++ ip -o link show
++ trace /sbin/ip -o link show
++ '[' -n /tmp/aif-trace.20131202-19:23:16 ']'
++ cut -d: -f2
++ sed 's/^: //'
+ local interfaces=
+ unset IFS
+ return 1
+ printf '\033[40m\033[1;31mWARNING: External interface eth0 does NOT exist (yet?)\033[0m\n'
�[40m�[1;31mWARNING: External interface eth0 does NOT exist (yet?)�[0m
+ for interface in '$EXT_IF'
+ check_interface tun0
+ local interface 'IFS= '
++ ip -o link show
++ tr -d ' '
++ '[' -n /tmp/aif-trace.20131202-19:23:16 ']'
++ cut -d: -f2
++ sed 's/^: //'
+ local interfaces=
+ unset IFS
+ return 1
+ printf '\033[40m\033[1;31mWARNING: External interface tun0 does NOT exist (yet?)\033[0m\n'
�[40m�[1;31mWARNING: External interface tun0 does NOT exist (yet?)�[0m
+ IFS=' ,'
+ IFS=' ,'
+ IFS=' ,'
+ IFS=' ,'
+ for eif in '$EXT_IF'
+ for eif in '$EXT_IF'
+ IFS=' ,'
+ for eif in '$EXT_IF'
+ '[' eth0 = lo -o eth0 = 127.0.0.1 ']'
+ for eif in '$EXT_IF'
+ '[' tun0 = lo -o tun0 = 127.0.0.1 ']'
+ IFS=' ,'

from aif.

If you edit "/usr/sbin/arno-iptables-firewall" 1st line

• #!/bin/sh
• #!/bin/bash

Does the problem go away ?

Lonnie

from aif.

Sorry lonnie, it doesn't work. I allready tried that. I'll fiddle some more this week let you know if I can find the issue. I just know that it's because of something that I misconfigured, but maybe we can learn something from the warnings I get. Thanks for the the help guys so far!!!

from aif.

Btw, AIF, is just the best. My dad started using it when we got ISDN, I think he even contributed some code back then. 😄

from aif.

Also, double check your check_interface() function in the /usr/share/arno-iptables-firewall/environment script, it should look like this:

# Check existance of an interface
check_interface()
{
  local interface IFS=' '
  
  local interfaces="$(ip -o link show | cut -d':' -f2)"
  unset IFS
  for interface in $interfaces; do
    case "$1" in
      # Wildcard interface?
      *+) if [ "${1%+}" = "${interface%%[0-9]*}" ]; then
            return 0
          fi
          ;;
       *) if [ "${1}" = "${interface%@*}" ]; then
            return 0
          fi
          ;;
    esac
  done
  # Interface not found
  return 1
}

Possibly if bash works, your dash might prefer

  local interfaces
  interfaces="$(ip -o link show | cut -d':' -f2)"

Lonnie

from aif.

Hi Arjen,

I was able to reproduce your problem, it only occurs when you set TRACE=1

So there are 3 possibly fixes:

1. Set in your firewall.conf

TRACE=0

2. change in environment

@@ -1506,7 +1506,7 @@
 {
   local interface IFS=' '
   
-  local interfaces="$(ip -o link show | cut -d':' -f2)"
+  local interfaces="$($IP -o link show | cut -d':' -f2)"
 
   unset IFS
   for interface in $interfaces; do

3. change in environment

@@ -653,7 +653,7 @@
 ###################
 ip()
 {
-  trace $IP "$@"
+  $IP "$@"
 }
 

Personally I have never found the TRACE "feature" useful, and if Arno decided to remove it I would not complain. :-)

There is another place that $IP is used instead of ip to work around this trace problem.

Then again, this problem only occurs if TRACE=1

Lonnie

from aif.

Hey great! It does work now. Well I think most people don't touch the trace option anyways like I did (mysteriously). Otherwise there would have been problems with it in the past. Anyways, thanks for all the help. A firewall without warnings just makes me feel a lot better, even though everything a firewall should do worked fine.

from aif.

I haven't used it either to be honest, I don't really care if it stays
or leaves as long as it doesn't break anything (like it does now).

@lonnie: Why does the trace() function cause this problem? Is it the sed
parsing inside trace() ? If you want to rip out trace() go ahead btw. :)

-arno

On 02/12/13 21:56, arjhun wrote:

Hey great! It does work now. Well I think most people don't touch the
trace option anyways like I did (mysteriously). Otherwise there would
have been problems with it in the past. Anyways, thanks for all the
help. A firewall without warnings just makes me feel a lot better,
even though everything a firewall should do worked fine.

—
Reply to this email directly or view it on GitHub
#5 (comment).

from aif.

This has been fixed in master... closing.

from aif.