IPv6 / pipe delimiter

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
sparek
Junior Member
Posts: 38
Joined: 11 Feb 2008, 17:55

IPv6 / pipe delimiter

Post by sparek »

I understand the need to move away from colons (:) as a separator for denying and allowing rules due to upcoming IPv6. Just wondering why pipe (|) was chosen as the alternative? I believe this was introduced in version 5.04.

Reason being, to add a rule to the csf.deny file via the command line you can use the:

Code: Select all

csf -d "tcp|in|d=80|s=xx.xx.xx.xx" Some Comments
But to remove this rule you have to use:

Code: Select all

csf -dr "tcp\|in\|d=80\|s=xx.xx.xx.xx"
to remove a rule you have to escape the pipe's. I'm not sure if this was intentional or an oversight. Or perhaps I am doing something wrong.

At any rate, with the colon separator you don't even have to enter the rule in quotes

Code: Select all

csf -d tcp:in:d=80:s=xx.xx.xx.xx
I'm just wondering if using a different separator, perhaps "+" or "%" would be better

Code: Select all

csf -d tcp%in%d=80%s=xx.xx.xx.xx

Code: Select all

csf -d tcp+in+d=80+s=xx.xx.xx.xx
Using pipes definitely looks better, I won't argue with that. I just thought from a usability standpoint using a delimiter that does not have to be escaped out might be better.

Perhaps this could be better resolved if the command-line removal did not require the pipe characters to be escaped.
Top
sparek
Junior Member
Posts: 38
Joined: 11 Feb 2008, 17:55

Re: IPv6 / pipe delimiter

Post by sparek »

Actually, I looked into this some more after I submitted this. It looks like the pipe is messing with the regex matching in the line searching.

This is what I am seeing with csf Version 5.09.

This appears to be correctable by escaping the pipe out before any regex searching is done.

On line 844 of csf.pl add the line:

Code: Select all

$ip =~ s/\|/\\|/g;
I am not sure what other subroutines would need this or if line 844 is an optimal placement for this. I suspect that the doakill subroutine would also need this and anything else that does regex searching.

To duplicate this issue and see what I am talking about, add lines into your csf.deny file:

Code: Select all

tcp:in:d=25:s=192.168.0.13
tcp:in:d=443:s=192.168.0.13
192.168.0.100
192.168.0.200
tcp|in|d=110:s=192.168.0.20
Now add a new deny rule from the command line

Code: Select all

csf -d "tcp|in|d=143|s=192.168.0.26"
And then remove that rule from the command line:

Code: Select all

csf -dr "tcp|in|d=143|s=192.168.0.26"
Because the pipe's are not escaped out, either on the command line or the csf.pl script, they are treated as or statements in the regex matching.

Your csf.deny file will now consist of just:

Code: Select all

192.168.0.100
192.168.0.200
Escaping out the pipe characters either on the command line or in the csf.pl script will insure that the regex matching is exact.
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: IPv6 / pipe delimiter

Post by chirpy »

I'll look into the issue. In the meantime, if you use single quotes instead of double quotes it should overcome the issue.
Top
sparek
Junior Member
Posts: 38
Joined: 11 Feb 2008, 17:55

Re: IPv6 / pipe delimiter

Post by sparek »

Even with single quotes you have to escape out the pipe characters.

At least that is with my experience using a bash shell.
Top
Post Reply

Return to “Report Bugs (csf)”