Bug 2051034
Summary: | Removal of gethostbyname2 breaks Shorewall6 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Brian J. Murrell <brian> |
Component: | shorewall | Assignee: | Michele Baldessari <michele> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 35 | CC: | jplesnik, jrowens.fedora, mhjacks, michele, mspacek, paul, perl-devel, ppisar |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | shorewall-5.2.8-9.fc35 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-08-26 08:34:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian J. Murrell
2022-02-05 22:34:28 UTC
Well, gethostbyname2 is obsolete so it would really be better to get shorewall not to use it. Can you try this change to /usr/share/perl5/vendor_perl/Shorewall/IPAddrs.pm and see if it works for you? --- /usr/share/perl5/vendor_perl/Shorewall/IPAddrs.pm.orig 2021-11-05 11:03:22.000000000 +0000 +++ /usr/share/perl5/vendor_perl/Shorewall/IPAddrs.pm 2022-02-06 13:28:43.045058966 +0000 @@ -509,7 +509,7 @@ sub validate_6address( $$ ) { unless ( valid_6address $addr ) { fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name; require Socket6; - fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6())); + fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::getaddrinfo( $addr, 0, Socket6::AF_INET6())); if ( defined wantarray ) { shift @addrs for (1..4); @@ -527,7 +527,7 @@ sub resolve_6dnsname( $ ) { my @addrs; require Socket6; - fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6())); + fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::getaddrinfo( $net, 0, Socket6::AF_INET6())); shift @addrs for (1..4); for ( @addrs ) { Also, it should be evident from this change that gethostbyname2 is only being called in a fatal error condition so your configuration probably wouldn't have worked anyway. Maybe you are using a hostname in your rules file that does not have an IPv6 address? (In reply to Paul Howarth from comment #1) > Well, gethostbyname2 is obsolete so it would really be better to get > shorewall not to use it. I am more than happy to pass that along. Do you have any reference that indicates that it's obsolete so that they don't just have to take my word for it? > Can you try this change to /usr/share/perl5/vendor_perl/Shorewall/IPAddrs.pm > and see if it works for you? It does, thanks! > Also, it should be evident from this change that gethostbyname2 is only > being called in a fatal error condition so your configuration probably > wouldn't have worked anyway. But it did in fact compile and load with no errors/failures once I made the above change. > Maybe you are using a hostname in your rules > file that does not have an IPv6 address? Seems not, per the above. (In reply to Brian J. Murrell from comment #2) > (In reply to Paul Howarth from comment #1) > > Well, gethostbyname2 is obsolete so it would really be better to get > > shorewall not to use it. > > I am more than happy to pass that along. Do you have any reference that > indicates that it's obsolete so that they don't just have to take my word > for it? https://linux.die.net/man/3/gethostbyname2 (see "Description") If you have glibc-devel installed, you can get the same info from "man gethostbyname2". > > Can you try this change to /usr/share/perl5/vendor_perl/Shorewall/IPAddrs.pm > > and see if it works for you? > > It does, thanks! > > > Also, it should be evident from this change that gethostbyname2 is only > > being called in a fatal error condition so your configuration probably > > wouldn't have worked anyway. > > But it did in fact compile and load with no errors/failures once I made the > above change. > > > Maybe you are using a hostname in your rules > > file that does not have an IPv6 address? > > Seems not, per the above. My bad. I didn't notice the "unless". Glad that it's working again. The best way is rewrite Shorewall6 to remove dependency to Socket6. There are IO::Socket::IP or Socket with IPv6 support now. (In reply to Michal Josef Spacek from comment #4) > The best way is rewrite Shorewall6 to remove dependency to Socket6. Sure. But I am not a Shorewall maintainer or really much of a Perl programmer for that matter. No offence, but I don't really like Perl as a programming language and don't spend much time with as a result. > There are IO::Socket::IP or Socket with IPv6 support now. That's great. But seeing as this change in the Perl::Socket6 is breaking Shorewall in Fedora 35 currently, assuming we cannot get the Shorewall authors to agree (there has been no response to my report of the use of these obsolete interfaces) to updating to discontinue using these obsolete interfaces, would it be appropriate to transfer this ticket to the shorewall BZ component to have the above patch applied to the Fedora shorewall package? (In reply to Brian J. Murrell from comment #5) > (In reply to Michal Josef Spacek from comment #4) > > The best way is rewrite Shorewall6 to remove dependency to Socket6. > > Sure. But I am not a Shorewall maintainer or really much of a Perl > programmer for that matter. No offence, but I don't really like Perl as a > programming language and don't spend much time with as a result. I understand > > There are IO::Socket::IP or Socket with IPv6 support now. > > That's great. > > But seeing as this change in the Perl::Socket6 is breaking Shorewall in > Fedora 35 currently, assuming we cannot get the Shorewall authors to agree > (there has been no response to my report of the use of these obsolete > interfaces) to updating to discontinue using these obsolete interfaces, > would it be appropriate to transfer this ticket to the shorewall BZ > component to have the above patch applied to the Fedora shorewall package? I created patch for fix: https://gitlab.com/shorewall/code/-/merge_requests/5 Ahhh. Very nice. I didn't even know Shorewall had made it outside of SourceForge. Hopefully they merge that MR. (In reply to Brian J. Murrell from comment #7) > Ahhh. Very nice. I didn't even know Shorewall had made it outside of > SourceForge. I prepared PR for Fedora rawhide: https://src.fedoraproject.org/rpms/shorewall/pull-request/2 But i don't know how to test. (In reply to Michal Josef Spacek from comment #8) > I prepared PR for Fedora rawhide: > https://src.fedoraproject.org/rpms/shorewall/pull-request/2 > But i don't know how to test. I tried it and my firewall is still working OK. Brian's configuration would exercise the changed code paths more though so it would be better for him to try it. Here is a scratch build for Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=82552545 > Here is a scratch build for Fedora 35: https://koji.fedoraproject.org/koji/taskinfo?taskID=82552545
Seems to compile the rules without any of the previous failures.
|