Bug 503588 - 'Other Port' validation broken
'Other Port' validation broken
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Thomas Woerner
Depends On:
  Show dependency treegraph
Reported: 2009-06-01 15:35 EDT by Jeff Bastian
Modified: 2013-04-12 16:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-12-09 03:36:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to fix validation (2.97 KB, patch)
2009-06-01 15:37 EDT, Jeff Bastian
no flags Details | Diff
FIx for the failing check of a single service name containing a '-'. (684 bytes, patch)
2009-06-02 10:04 EDT, Thomas Woerner
no flags Details | Diff

  None (edit)
Description Jeff Bastian 2009-06-01 15:35:50 EDT
Description of problem:
Validation of the "Other Ports" in system-config-securitylevel is broken. When a port is entered, it's service name is derived and then added to the list. So in case of service names with hypens, they are assumed to be port ranges and are split and the individual sections are found to be invalid.

This way, even when such ports are added, they are not visible in the list. You can see that the rules have been added with iptables-save. Subsequent changes to ports in system-config-securitylevel will remove the rules added for those earlier ports.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start system-config-securitylevel
2. Click on the "Other Ports" section
3. Click on "Add"
4. Enter 1156 as port.  Leave protocol as tcp
5. Press OK
6. Press Apply and Ok to close
7. iptables-save
Actual results:
The firewall rule for 1156 has been applied but it is not seen as added in system-config-securitylevel

Expected results:
1156 should be visible in system-config-securitylevel as iascontrol-oms

Additional info:
s-c-securitylevel 1.6.30 fixes this condition, but at the same time this version does not have any real validation at all. The rule for validation is effectively, "It should be a number, range of numbers or characters," but there is no validation of whether the characters represent a valid service name.
Comment 1 Jeff Bastian 2009-06-01 15:37:52 EDT
Created attachment 346130 [details]
patch to fix validation

This is a patch from Siddhesh Poyarekar <spoyarek@redhat.com> to validate numeric ports and if false, check for validity of the service name.
Comment 2 Thomas Woerner 2009-06-02 10:04:47 EDT
Created attachment 346257 [details]
FIx for the failing check of a single service name containing a '-'.

Thanks for your patch from comment #1, but it

- dropped support for port ranges with service names.
- disabled the check for ports > 65535. (rhbz#247608)

Please have a look at this valid port range: ftp-data-ftp:tcp (20-21:tcp).
Comment 11 errata-xmlrpc 2009-12-09 03:36:40 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.