Bug 503588

Summary: 'Other Port' validation broken
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Bastian <jbastian>
Component: system-config-securitylevelAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: dkovalsk, pknirsch, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-09 08:36:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to fix validation
none
FIx for the failing check of a single service name containing a '-'. none

Description Jeff Bastian 2009-06-01 19:35:50 UTC 
Description of problem:
Validation of the "Other Ports" in system-config-securitylevel is broken. When a port is entered, it's service name is derived and then added to the list. So in case of service names with hypens, they are assumed to be port ranges and are split and the individual sections are found to be invalid.

This way, even when such ports are added, they are not visible in the list. You can see that the rules have been added with iptables-save. Subsequent changes to ports in system-config-securitylevel will remove the rules added for those earlier ports.

Version-Release number of selected component (if applicable):
system-config-securitylevel-1.6.29.1-2.1.el5

How reproducible:
Always

Steps to Reproduce:
1. Start system-config-securitylevel
2. Click on the "Other Ports" section
3. Click on "Add"
4. Enter 1156 as port.  Leave protocol as tcp
5. Press OK
6. Press Apply and Ok to close
7. iptables-save
  
Actual results:
The firewall rule for 1156 has been applied but it is not seen as added in system-config-securitylevel

Expected results:
1156 should be visible in system-config-securitylevel as iascontrol-oms

Additional info:
s-c-securitylevel 1.6.30 fixes this condition, but at the same time this version does not have any real validation at all. The rule for validation is effectively, "It should be a number, range of numbers or characters," but there is no validation of whether the characters represent a valid service name.
Comment 1 Jeff Bastian 2009-06-01 19:37:52 UTC 
Created attachment 346130 [details]
patch to fix validation

This is a patch from Siddhesh Poyarekar <spoyarek> to validate numeric ports and if false, check for validity of the service name.
Comment 2 Thomas Woerner 2009-06-02 14:04:47 UTC 
Created attachment 346257 [details]
FIx for the failing check of a single service name containing a '-'.

Thanks for your patch from comment #1, but it

- dropped support for port ranges with service names.
- disabled the check for ports > 65535. (rhbz#247608)

Please have a look at this valid port range: ftp-data-ftp:tcp (20-21:tcp).
Comment 11 errata-xmlrpc 2009-12-09 08:36:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1656.html