Bug 829706

Summary: YaST2 firewall masquerading creates too many arguments in /etc/sysconfig/SuSEfirewall2
Product: [openSUSE] openSUSE 12.3 Reporter: Dave Pearson <dave>
Component: YaST2Assignee: Lukas Ocilka <locilka>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: dave
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 12.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dave Pearson 2013-07-16 12:20:58 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0

When using YaST2 firewall configuration GUI to enable masquerading the resulting configuration that is written to "/etc/sysconfig/SuSEfirewall2" has too many arguments and masquerading (for at least UDP) does not work.

Running /sbin/SuSEfirewall2 from the command line gives:

SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Error: too many arguments in FW_FORWARD_MASQ -> 0/0,192.168.100.137,udp,47976,47976,*
SuSEfirewall2: Firewall rules successfully set

By removing the last two arguments the problem goes away...

FW_FORWARD_MASQ="0/0,192.168.100.137,udp,47976"

Now running /sbin/SuSEfirewall2 the firewall starts successfully without errors and masquerading works.

I have never manually edited the firewall configuration file before by hand and this is a clean install with no other software installed that should change it.

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1.Go to YaST2 firewall configuration
2.Created a new masquerading entry to a different address/port
3.Checked the generated file: /etc/sysconfig/SuSEfirewall2
Actual Results:  
After manually altering the first entry, subsequent entries seem to have the correct number of arguments.
Comment 1 Thomas Fehr 2013-07-17 09:13:26 UTC 
Reassigned to maintainer of yast2-firewall
Comment 2 Lukas Ocilka 2013-07-18 10:04:42 UTC 
Sounds like to format of FW_FORWARD_MASQ. I've never seen such issue
before and this piece of code hasn't been changed for years.
Maybe it was just incorrectly coded and nobody used that ever.

Ludwig, any hints?
Comment 3 Lukas Ocilka 2013-07-24 09:15:31 UTC 
Found out the cause: There is a "Requested IP" entry that you should leave
empty instead of using "*" there.

Firewall needs to be fixed to

- state that this entry is optional
- check that whatever is entered there is an IP(4/6)
Comment 4 Lukas Ocilka 2013-08-02 13:02:38 UTC 
Fixed in yast2-firewall-2.24.2

It will appear in Factory in yast2-firewall-3.0.0
Comment 5 Lukas Ocilka 2013-08-02 13:03:00 UTC 
According to comment(s) above: Fixed