firehol icon indicating copy to clipboard operation
firehol copied to clipboard
verified publisher icon firehol

Search path (PROGRAM_DIR) for shared files with common name (make Debian friendly)

Open andvgal opened this issue 9 years ago • 14 comments

There are two quite commonly named files "install.config" and "functions.common". Current code (3.1.0) expects them to be installed alongside firehol and other programs.

Obviously, system sbin/ is not a good place for files with common names and FIREHOL_OVERRIDE_PROGRAM_DIR is not a safe solution.

As Debian already uses lib/firehol path for common files, my proposal is to support relative include ${PROGRAM_DIR}/../lib/firehol/$file.

In particular:

for functions_file in install.config functions.common
do
	if [ -r "$PROGRAM_DIR/$functions_file" ]
	then
		source "$PROGRAM_DIR/$functions_file"
	else
		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
		exit 1
	fi
done

becomes:

for functions_file in install.config functions.common
do
	if [ -r "$PROGRAM_DIR/$functions_file" ]
	then
		source "$PROGRAM_DIR/$functions_file"
	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file"]
	then
		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
	else
		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
		exit 1
	fi
done

The patch itself:

From: Andrey Galkin <[email protected]>
Date: Thu, 29 Dec 2016 00:56:51 +0200
Subject: Support include lib/firehol folder

---
 sbin/firehol       | 3 +++
 sbin/fireqos       | 3 +++
 sbin/link-balancer | 3 +++
 sbin/update-ipsets | 3 +++
 sbin/vnetbuild     | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/sbin/firehol b/sbin/firehol
index 31af6c8..ea8679c 100755
--- a/sbin/firehol
+++ b/sbin/firehol
@@ -45,6 +45,9 @@ do
 	if [ -r "$PROGRAM_DIR/$functions_file" ]
 	then
 		source "$PROGRAM_DIR/$functions_file"
+	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file" ]
+	then
+		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
 	else
 		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
 		exit 1
diff --git a/sbin/fireqos b/sbin/fireqos
index 91e14f8..4ab99bc 100755
--- a/sbin/fireqos
+++ b/sbin/fireqos
@@ -45,6 +45,9 @@ do
 	if [ -r "$PROGRAM_DIR/$functions_file" ]
 	then
 		source "$PROGRAM_DIR/$functions_file"
+	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file" ]
+	then
+		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
 	else
 		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
 		exit 1
diff --git a/sbin/link-balancer b/sbin/link-balancer
index 4d702bf..0f63ba4 100755
--- a/sbin/link-balancer
+++ b/sbin/link-balancer
@@ -45,6 +45,9 @@ do
 	if [ -r "$PROGRAM_DIR/$functions_file" ]
 	then
 		source "$PROGRAM_DIR/$functions_file"
+	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file" ]
+	then
+		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
 	else
 		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
 		exit 1
diff --git a/sbin/update-ipsets b/sbin/update-ipsets
index 8b9a3f5..5b52c08 100755
--- a/sbin/update-ipsets
+++ b/sbin/update-ipsets
@@ -101,6 +101,9 @@ do
 	if [ -r "$PROGRAM_DIR/$functions_file" ]
 	then
 		source "$PROGRAM_DIR/$functions_file"
+	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file" ]
+	then
+		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
 	else
 		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
 		exit 1
diff --git a/sbin/vnetbuild b/sbin/vnetbuild
index ca89a72..1697f68 100755
--- a/sbin/vnetbuild
+++ b/sbin/vnetbuild
@@ -46,6 +46,9 @@ do
 	if [ -r "$PROGRAM_DIR/$functions_file" ]
 	then
 		source "$PROGRAM_DIR/$functions_file"
+	elif [ -r "$PROGRAM_DIR/../lib/firehol/$functions_file" ]
+	then
+		source "$PROGRAM_DIR/../lib/firehol/$functions_file"
 	else
 		1>&2 echo "Cannot access $PROGRAM_DIR/$functions_file"
 		exit 1

andvgal avatar Dec 28 '16 23:12 andvgal

Hi - thanks for the comprehensive report. Did you try the existing setup and find problems in practice?

The installer is supposed to put everything under /usr/libexec/firehol-VER, (or pass a param to configure for /usr/lib/firehol-VER on Debian). The $PROGRAM_DIR should resolve to that, with just symlinks in /sbin.

So I think something has gone wrong with the install procedure if you need you patch.

philwhineray avatar Dec 29 '16 07:12 philwhineray

Hi, I was using a little modified original debian install script (https://github.com/codingfuture/deb-firehol/blob/master/debian/firehol.install). It works a bit different and perhaps needs to be reworked.

Perhaps, @jgmbenoit can comment a little more. At least, current Debian install scripts will need to be reworked for several packages.

andvgal avatar Dec 30 '16 10:12 andvgal

Hi, thanks for the invitation. Porting FireHol 3.1 is on the top of my TODO list before Debian freeze.

jgmbenoit avatar Dec 30 '16 13:12 jgmbenoit

I'm not sure if this is related to this problem but I'm getting the following error on startup:

[root] # firehol try
Cannot access /usr/lib/firehol/services.common

I'm actually using @andvgal 's ppa on ubuntu 14.04, since only version one is available from the official repositories. Could this be related?

Seems to be from the same chunk of code mentioned above.

https://github.com/firehol/firehol/blob/193b3ed5224cb57d664c2c9b7dfe26bf854f63ca/sbin/firehol#L46-L55

[root] # bash -x /sbin/firehol try
+ for functions_file in install.config functions.common services.common services.firehol
+ '[' -r /usr/lib/firehol/functions.common ']'
+ source /usr/lib/firehol/functions.common
+ for functions_file in install.config functions.common services.common services.firehol
+ '[' -r /usr/lib/firehol/services.common ']'
+ echo 'Cannot access /usr/lib/firehol/services.common'
Cannot access /usr/lib/firehol/services.common
+ exit 1

johnramsden avatar Aug 21 '18 02:08 johnramsden

I think it is more likely that the files:

  • services.common
  • services.firehol
  • services.fireqos

Need including in the installer. These were extracted from the man scripts in merge #313

philwhineray avatar Aug 21 '18 06:08 philwhineray

@philwhineray so should I just copy these files from sbin to /usr/lib/firehol?

johnramsden avatar Aug 21 '18 06:08 johnramsden

Looking at your trace, I expect that will work, yes.

philwhineray avatar Aug 21 '18 06:08 philwhineray

May this solve this issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903303 ?

jgmbenoit avatar Aug 21 '18 07:08 jgmbenoit

Sorry guys, I had a routines upgrade of 3.1.5 -> 3.1.6 in firehol-bpo. It worked on local (dirty) system, but appears to fail on clean system. I will fix that ASAP.

andvgal avatar Aug 21 '18 09:08 andvgal

The fix is here: https://github.com/codingfuture/deb-firehol/commit/5d229bcc1175f9f0f78c47ae68c327713a812dfe

New packages should be available on LaunchPad shortly: https://launchpad.net/~andvgal/+archive/ubuntu/firehol-bpo

Meanwhile, I have removed broken packages.

andvgal avatar Aug 21 '18 09:08 andvgal

@andvgal What is wrong with the material from Debian ?

jgmbenoit avatar Aug 21 '18 10:08 jgmbenoit

@jgmbenoit you tell me if there is anything wrong ;)

I just maintain firehol backports repo with the latest versions which can be used both for Ubuntu and Debian. Also, the backports are a bit against Debian policy as for my cases firehol need to run before network to close possible time gap for attack on boot. If I recall your comments correctly, firehol has to run after NFS -> after network as it depends on some utilities from /usr/bin.

In general, we can workaround that by integrating with netfilter-persistent package.

andvgal avatar Aug 21 '18 10:08 andvgal

Nothing is wrong, but I do not see the point to maintain a series a similar package while I see the point to maintain only one and to share information. Whatever, I will have try to remember this discussion when I will update the Debian package.

jgmbenoit avatar Aug 21 '18 17:08 jgmbenoit

@jgmbenoit if you want to invite me to maintain a single source for deb packages, you can contact me via email in GitHub profile.

andvgal avatar Aug 21 '18 17:08 andvgal