Bug 426000

Summary: Yast2 corrupts SuSEfirewall2 config file
Product: [openSUSE] openSUSE 11.0 Reporter: Marc Chamberlin <marc>
Component: YaST2Assignee: Lukas Ocilka <locilka>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: lnussel, marc, security-team
Version: Final   
Target Milestone: ---   
Hardware: PC   
OS: openSUSE 11.0   
Whiteboard:
Found By: Community User Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marc Chamberlin 2008-09-12 17:20:43 UTC 
I hand edit the SuSEfirewall2 config file so has to keep it readable and maintainable. One section in particular - FW_FORWARD_MASQ - I separate each entry so that there is one entry per line. Whenever I use Yast2 for something which requires it to update or make changes to the SuSEfirewall2 config file it trashes this particular section by concatenating all the separate lines into a single long line and it includes the \ line continuation character within this line. This breaks SuSEfirewall2 as Yast2 has recreated this section with an illegal syntax. So for example if I write this section as follows -

FW_FORWARD_MASQ="\
0/0,192.168.2.100,tcp,80,8080,111.222.333.444 \
0/0,192.168.2.100,tcp,22,622,111.222.333.444 \
0/0,192.168.2.254,tcp,80,8083,111.222.333.444 \
0/0,192.168.2.15,tcp,5903,5900,111.222.333.444 \
0/0,192.168.2.25,tcp,5904,5900,111.222.333.444 \
0/0,192.168.2.30,tcp,5916,5903,111.222.333.444"


Yast2 will change it to -

FW_FORWARD_MASQ="\ 0/0,192.168.2.100,tcp,80,8080,111.222.333.444 \ 0/0,192.168.2.100,tcp,22, 622,111.222.333.444 \ 0/0,192.168.2.254,tcp, 80,8083,111.222.333.444 \ 0/0,192.168.2.15,tcp,5903,5900,111.222.333.444 \ 0/0,192.168.2.25,tcp,5904,5900,111.222.333.444 \ 0/0,192.168.2.30,tcp,5916,5903,111.222.333.444"

(note this does not show the single line created well due to the limitations of the bugzilla form input) Using the \ character to continue a line is legal syntax for SuSEfirewall2 but Yast2 apparently does not handle it properly and should retain the original format, not try an change it into something else.

BTW this bug has been around since at least SuSE10.1 and it finally annoyed me enough to report it. What is really bad is that there is no indication that something has gone wrong until one explicitly restarts SuSEFirewall2 or goes and looks at log files. Yast2 is perfectly willing, it appears, to make changes to the SuSEFirewall2 configuration without testing/restarting/reporting that the firewall restarted OK in order to verify that the changes it made are OK.
Comment 1 Ludwig Nussel 2008-09-15 07:32:28 UTC 
the yast agent reading and writing the sysconfig file certainly should not change the file in a way that it suddenly has different meaning.
That backslash however is not needed, a quoted string can span multiple lines just fine. So as workaround just remove the backslashes.
The actual firewall rules are applied nevertheless, there will be just some error messages from iptables for the invalid rules.
Comment 2 Lukas Ocilka 2008-09-15 10:39:34 UTC 
Fixed in yast2-2.17.24

Simple workaround is just not to use backslashes at all:

FW_FORWARD_MASQ="
0/0,192.168.2.100,tcp,80,8080,111.222.333.444
0/0,192.168.2.100,tcp,22,622,111.222.333.444
0/0,192.168.2.254,tcp,80,8083,111.222.333.444
0/0,192.168.2.15,tcp,5903,5900,111.222.333.444
0/0,192.168.2.25,tcp,5904,5900,111.222.333.444
0/0,192.168.2.30,tcp,5916,5903,111.222.333.444"