Page MenuHomeVyOS Platform
Create Task
Maniphest T1460

"show firewall ...." doesn't support counters with more than eight digits
Closed, ResolvedPublicBUG
Actions

Description

If the packet counter in the output of iptables command contains a value with eight or more digits, these values are not processed correctly in show firewall output.

This problem is causing by an incorrect algorithm of output parsing in vyatta-show-firewall.pl.

Details

Difficulty level
Normal (likely a few hours)
Version
1.2.1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc changed the task status from Open to In progress.Jun 20 2019, 7:28 PM
zsdc claimed this task.
zsdc created this task.
zsdc added a comment.Jun 20 2019, 8:57 PM

Example of the output when value is below 10000000:

vyos@test-06:~$ show firewall name TESTFW rule 50 

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "TESTFW":

 Active on (eth2,IN)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
50    accept   tcp_udp   166      26932                                   
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

Example of the output when value is above 10000000:

vyos@test-06:~$ show firewall name TESTFW rule 50

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "TESTFW":

 Active on (eth2,IN)

rule  action   proto     packets  bytes                                   
Argument "RETURN" isn't numeric in addition (+) at /opt/vyatta/bin/vyatta-show-firewall.pl line 341.
----  ------   -----     -------  -----                                   
50    accept   tcp_udp   1929030196 7744                                    
  condition - saddr 0.0.0.0/0 daddr /*                                          

vyos@test-06:~$ sudo iptables -t filter -L TESTFW -nvx
Chain TESTFW (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
10682320 1929032208 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* TESTFW-50 */
      33     8988 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* TESTFW-50 */
28280889 2375565896 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* TESTFW-10000 default-action accept */
zsdc closed this task as Resolved.Jun 21 2019, 9:51 AM

Fixed in https://phabricator.vyos.net/R27:e6bff7fd27e74bf25737fa22aed6a5a60b7f03bd.

syncer reopened this task as Backport candidate.Aug 31 2019, 2:52 AM
syncer reassigned this task from zsdc to dmbaturin.
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.2 Crux.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
dmbaturin closed this task as Resolved.Aug 31 2019, 2:57 AM

Cherry-picked into crux.

syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.3) board.Aug 31 2019, 12:46 PM
dmbaturin renamed this task from "show firewall ...." does not show information correctly in specific cases to "show firewall ...." doesn't support counters with more than eight digits.Sep 11 2019, 10:34 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 2:23 PM