firewall-port check reports the inverse of reality #6073
Comments
|
The commit message that added the
So it does indeed return true if the port is blocked, but unfortunately, the string says "open". So the best fix would be to change the word "open" to "closed" in the script, to avoid other side effects. |
|
Ah, then we do in addition need to update L133 in dbsync_slave.ml to match... |
|
I had edited my suggested fix to incorporate forcing iptables to report all ports as numeric. 3493 is for NUT server and so iptables replaces 3493 with "nut" in the output and so it won't match, but then I ended up removing the inverted check fix. existing check code: check)
if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]]
then
echo "Port $PORT open: true"
else
echo "Port $PORT open: false"
fi
;;Need to add the "-v" to make sure ports like 3493 don't output as "nut" and therefore would affect the grep matching check)
if [[ -z `iptables -v -S $CHAIN | grep " $PORT "` ]]
then
echo "Port $PORT closed: true"
else
echo "Port $PORT closed: false"
fi
;;or check)
if ! iptables -v -S $CHAIN | grep -s -q " $PORT "
then
echo "Port $PORT closed: true"
else
echo "Port $PORT closed: false"
fi
;; |
Here is the behaviour I am seeing with /etc/xapi.d/plugins/firewall-port:
The change that would work.
check) if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]] then echo "Port $PORT open: true" else echo "Port $PORT open: false" fi ;;to
check) if [[ -z `iptables -n -v -S $CHAIN | grep " $PORT "` ]] then echo "Port $PORT open: true" else echo "Port $PORT open: false" fi ;;If I knew how to do a git pull request and all that I'd do it, however I do not.
The text was updated successfully, but these errors were encountered: