Bug 532402 - Review Request: APF - Advanced Policy Firewall
Review Request: APF - Advanced Policy Firewall
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2009-11-02 01:11 EST by Mark McKinstry
Modified: 2011-01-19 15:48 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-19 15:48:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark McKinstry 2009-11-02 01:11:28 EST
Spec URL: http://mmckinst.nexcess.net/apf/apf.spec
SRPM URL: http://mmckinst.nexcess.net/apf/apf-9.7-1.src.rpm

Description: APF is an iptables (netfilter) based firewall system designed around the 
essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow.

This is my first package and I am looking for a sponsor. This package is on the wishlist: http://fedoraproject.org/wiki/PackageMaintainers/WishList#A-D
Comment 1 Scott Collier 2009-11-08 13:02:54 EST
Hi Mark,

I'm not a sponsor, I just have some general recommendations about your package.  This is my first review, so please let me know if there are any questions.

1. The package didn't build on my system due to permissions on directories on /etc/apf

http://boodle.fedorapeople.org/RPMS/error.out

2. rpmlint has a few messages:
$ rpmlint apf.spec
apf.spec: W: no-cleaning-of-buildroot %install
apf.spec: W: mixed-use-of-spaces-and-tabs (spaces: line 6, tab: line 1)

$ rpmlint ../SRPMS/apf-9.7-1.src.rpm
apf.src: W: no-version-in-last-changelog
apf.src: W: no-cleaning-of-buildroot %install
apf.src: W: mixed-use-of-spaces-and-tabs (spaces: line 6, tab: line 1)
1 packages and 0 specfiles checked; 0 errors, 3 warnings.

Please correct these.

3. Your buildroot is probably fine, but Fedora does have preferences, please use a buildroot from:
https://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag


4. source0 should be URL to source file, please see:
https://fedoraproject.org/wiki/Packaging:SourceURL

5. Add a version to the last changelog entry
Comment 2 Mark McKinstry 2009-11-20 14:19:30 EST
(In reply to comment #1)

Thanks for taking the time to look at my first package.

> 1. The package didn't build on my system due to permissions on directories on
> /etc/apf

Fixed.

> 2. rpmlint has a few messages:

Fixed.

> 3. Your buildroot is probably fine, but Fedora does have preferences, please
> use a buildroot from:
> https://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag

Fixed.

> 4. source0 should be URL to source file, please see:
> https://fedoraproject.org/wiki/Packaging:SourceURL

Unfortunately the author does not provide a way to download a specific version, you can only download the latest -current. I've added a note to the spec file explaining the situation.

> 5. Add a version to the last changelog entry  

Done.

The updated SPEC and SRPM are at:

http://mmckinst.nexcess.net/apf/apf.spec
http://mmckinst.nexcess.net/apf/apf-9.7.1-2.src.rpm
Comment 3 Scott Collier 2009-11-20 19:02:26 EST
No problem.  Just a couple more things here.  Please make the changes and I'll have another look.

1. Now it does build.  rpmlint has issues with the rpm:

$ rpmlint ../RPMS/noarch/apf-9.7.1-2.noarch.rpm
apf.noarch: E: non-readable /etc/apf/allow_hosts.rules 0640
apf.noarch: E: non-readable /etc/apf/internals/multicast.networks 0640
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/multicast.networks
apf.noarch: E: non-readable /etc/apf/apf 0750
apf.noarch: E: non-standard-executable-perm /etc/apf/apf 0750
apf.noarch: E: non-readable /etc/apf/internals/private.networks 0640
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/private.networks
apf.noarch: E: non-readable /etc/apf/VERSION 0640
apf.noarch: W: non-conffile-in-etc /etc/apf/VERSION
<snip>
1 packages and 0 specfiles checked; 55 errors, 21 warnings.

You can get information on these errors / warnings here:

https://fedoraproject.org/wiki/Common_Rpmlint_issues

You can also get more verbose info with "rpmlint -i"

2. I'd take out the 

BuildArch:      noarch

tag.

3. add the %{?dist} tag to release.

4. Please don't chkconfig a service on by default:
chkconfig --level 345 apf on

See 

https://fedoraproject.org/wiki/Packaging:SysVInitScript#Why_don.27t_we....

5. instead of defining basedir:

%define         basedir /etc/apf

you can use the %{_sysconfdir} tag.

which would change:

find %{buildroot}%{basedir}/ -type f -exec chmod 640 {} \;
to:
find %{buildroot}%{_sysconfdir}/apf -type f -exec chmod 640 {} \;

and a few other places as well...

6. You can take out these two lines:

mkdir -p %{buildroot}/%{_docdir}/%{name}
cp -pf COPYING.GPL CHANGELOG README.apf %{buildroot}/%{_docdir}/%{name}/

and use the %doc tag (something like):
%doc COPYING.GPL CHANGELOG README.apf

so, in your %files, 
%doc %{_docdir}/apf/CHANGELOG

take out the %{_docdir}/apf/
Comment 4 Scott Collier 2010-01-06 21:18:37 EST
ping
Comment 5 Mark McKinstry 2010-01-06 22:07:04 EST
I'm still alive, I've just been busy. I'm planning on working on the APF rpm this weekend.
Comment 6 Mark McKinstry 2010-01-15 17:11:40 EST
> 1. Now it does build.  rpmlint has issues with the rpm:

APF is kind of weird in the way its written. It is essentially a collection of shell scripts that act as a wrapper to iptables. It, by default, installs everything including executables in /etc/apf . The documentation advises against changing the install directory so I have went with the authors advice. I went through what rpmlint said and commented on it.

> apf.noarch: E: non-executable-script /etc/apf/conf.apf 0640 /bin/bash
> apf.noarch: E: non-executable-script /etc/apf/extras/dshield/cron.ds 0640 /bin/bash
> apf.noarch: E: non-executable-script /etc/apf/internals/functions.apf 0640 /bin/bash
> apf.noarch: E: script-without-shebang /etc/apf/extras/.ca.def
> apf.noarch: E: script-without-shebang /etc/apf/vnet/vnetgen

This is just the way APF is written. 

> apf.noarch: E: non-readable /etc/apf/allow_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/apf 0750
> apf.noarch: E: non-readable /etc/apf/bt.rules 0640
> apf.noarch: E: non-readable /etc/apf/conf.apf 0640
> apf.noarch: E: non-readable /etc/apf/deny_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/ds_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/ecnshame_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/cron.ds 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/dshield-3.2.tar.gz 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/install 0750
> apf.noarch: E: non-readable /etc/apf/extras/dshield/README 0640
> apf.noarch: E: non-readable /etc/apf/extras/get_ports 0750
> apf.noarch: E: non-readable /etc/apf/firewall 0750
> apf.noarch: E: non-readable /etc/apf/glob_allow.rules 0640
> apf.noarch: E: non-readable /etc/apf/glob_deny.rules 0640
> apf.noarch: E: non-readable /etc/apf/internals/compat.0.9.5 0640
> apf.noarch: E: non-readable /etc/apf/internals/cports.common 0640
> apf.noarch: E: non-readable /etc/apf/internals/functions.apf 0640
> apf.noarch: E: non-readable /etc/apf/internals/icmp.types 0640
> apf.noarch: E: non-readable /etc/apf/internals/internals.conf 0640
> apf.noarch: E: non-readable /etc/apf/internals/multicast.networks 0640
> apf.noarch: E: non-readable /etc/apf/internals/private.networks 0640
> apf.noarch: E: non-readable /etc/apf/internals/rab.ports 0640
> apf.noarch: E: non-readable /etc/apf/internals/reserved.networks 0640
> apf.noarch: E: non-readable /etc/apf/log.rules 0640
> apf.noarch: E: non-readable /etc/apf/main.rules 0640
> apf.noarch: E: non-readable /etc/apf/postroute.rules 0640
> apf.noarch: E: non-readable /etc/apf/preroute.rules 0640
> apf.noarch: E: non-readable /etc/apf/sdrop_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/sysctl.rules 0640
> apf.noarch: E: non-readable /etc/apf/VERSION 0640
> apf.noarch: E: non-readable /etc/apf/vnet/main.vnet 0640
> apf.noarch: E: non-readable /etc/apf/vnet/vnetgen 0750
> apf.noarch: E: non-readable /etc/apf/vnet/vnetgen.def 0640
> apf.noarch: E: non-standard-dir-perm /etc/apf 0750

These are intentional so everyone on the system can't read the firewall rules. 

> apf.noarch: E: non-standard-executable-perm /etc/apf/apf 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/extras/dshield/install 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/extras/get_ports 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/firewall 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/vnet/vnetgen 0750
> apf.noarch: W: hidden-file-or-dir /etc/apf/extras/.ca.def
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/cron.ds
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/dshield-3.2.tar.gz
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/README
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/compat.0.9.5
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/cports.common
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/functions.apf
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/icmp.types
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/internals.conf
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/multicast.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/private.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/rab.ports
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/reserved.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/VERSION
> apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/main.vnet
> apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/vnetgen.def

See the comment about how how it stores everything in /etc/apf.

> apf.noarch: E: subsys-not-used /etc/init.d/apf

This is the way it is written. It doesn't have a daemon or PID so I can't create a lockfile for it. When you start or restart the service it runs its collection of shell scripts to create all the rules for iptables based on your config file, then exits while iptables continues to run.

> apf.noarch: E: zero-length /etc/apf/ds_hosts.rules
> apf.noarch: E: zero-length /etc/apf/ecnshame_hosts.rules
> apf.noarch: E: zero-length /etc/apf/sdrop_hosts.rules

Theses files do get used by APF.

> apf.noarch: W: non-conffile-in-etc /etc/logrotate.d/apf

I'm not sure why this is being marked.

> 2. I'd take out the BuildArch: noarch tag.

If I do this, rpmlint complains that it has no binary

> 3. add the %{?dist} tag to release.

Done.

> 4. Please don't chkconfig a service on by default: chkconfig --level 345 apf on

Fixed.

> 5. instead of defining basedir:

Fixed.

> 6. You can take out these two lines:

Fixed.

Spec URL: http://mmckinst.nexcess.net/apf/apf.spec
SRPM URL: http://mmckinst.nexcess.net/apf/apf-9.7.1-3.fc12.src.rpm
Comment 7 Nick Bebout 2010-07-25 15:58:00 EDT
[nb@newharmony01 SPECS]$ rpmlint apf.spec 
apf.spec:16: W: mixed-use-of-spaces-and-tabs (spaces: line 1, tab: line 16)
apf.spec: W: invalid-url Source0: apf-current.tar.gz
0 packages and 1 specfiles checked; 0 errors, 2 warnings.

[nb@newharmony01 SRPMS]$ rpmlint apf-9.7.1-3.fc12.src.rpm 
apf.src: W: spelling-error %description -l en_US iptables -> potables, portables, timetables
apf.src: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, refilter
apf.src:16: W: mixed-use-of-spaces-and-tabs (spaces: line 1, tab: line 16)
apf.src: W: invalid-url Source0: apf-current.tar.gz
1 packages and 0 specfiles checked; 0 errors, 4 warnings.

[nb@newharmony01 noarch]$ rpmlint apf-9.7.1-3.fc13.noarch.rpm 
apf.noarch: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, refilter
apf.noarch: E: non-readable /etc/apf/allow_hosts.rules 0640L
apf.noarch: E: non-readable /etc/apf/internals/multicast.networks 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/multicast.networks
apf.noarch: E: non-readable /etc/apf/apf 0750L
apf.noarch: E: non-standard-executable-perm /etc/apf/apf 0750L
apf.noarch: E: non-readable /etc/apf/internals/private.networks 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/private.networks
apf.noarch: E: non-readable /etc/apf/VERSION 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/VERSION
apf.noarch: E: non-readable /etc/apf/extras/dshield/README 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/README
apf.noarch: E: non-readable /etc/apf/log.rules 0640L
apf.noarch: E: non-readable /etc/apf/bt.rules 0640L
apf.noarch: E: non-readable /etc/apf/internals/reserved.networks 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/reserved.networks
apf.noarch: E: non-readable /etc/apf/extras/dshield/install 0750L
apf.noarch: E: non-standard-executable-perm /etc/apf/extras/dshield/install 0750L
apf.noarch: E: non-readable /etc/apf/firewall 0750L
apf.noarch: E: non-standard-executable-perm /etc/apf/firewall 0750L
apf.noarch: W: non-conffile-in-etc /etc/logrotate.d/apf
apf.noarch: E: non-readable /etc/apf/conf.apf 0640L
apf.noarch: E: non-executable-script /etc/apf/conf.apf 0640L /bin/bash
apf.noarch: E: non-readable /etc/apf/vnet/vnetgen.def 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/vnetgen.def
apf.noarch: E: non-readable /etc/apf/deny_hosts.rules 0640L
apf.noarch: E: non-standard-dir-perm /etc/apf 0750L
apf.noarch: E: non-readable /etc/apf/ecnshame_hosts.rules 0640L
apf.noarch: E: zero-length /etc/apf/ecnshame_hosts.rules
apf.noarch: W: hidden-file-or-dir /etc/apf/extras/.ca.def
apf.noarch: E: script-without-shebang /etc/apf/extras/.ca.def
apf.noarch: E: non-readable /etc/apf/glob_deny.rules 0640L
apf.noarch: E: non-readable /etc/apf/ds_hosts.rules 0640L
apf.noarch: E: zero-length /etc/apf/ds_hosts.rules
apf.noarch: E: non-readable /etc/apf/extras/get_ports 0750L
apf.noarch: E: non-standard-executable-perm /etc/apf/extras/get_ports 0750L
apf.noarch: E: non-readable /etc/apf/internals/cports.common 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/cports.common
apf.noarch: E: non-readable /etc/apf/glob_allow.rules 0640L
apf.noarch: E: non-readable /etc/apf/main.rules 0640L
apf.noarch: E: non-readable /etc/apf/postroute.rules 0640L
apf.noarch: E: non-readable /etc/apf/extras/dshield/cron.ds 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/cron.ds
apf.noarch: E: non-executable-script /etc/apf/extras/dshield/cron.ds 0640L /bin/bash
apf.noarch: E: non-readable /etc/apf/sdrop_hosts.rules 0640L
apf.noarch: E: zero-length /etc/apf/sdrop_hosts.rules
apf.noarch: E: non-readable /etc/apf/vnet/vnetgen 0750L
apf.noarch: E: non-standard-executable-perm /etc/apf/vnet/vnetgen 0750L
apf.noarch: E: script-without-shebang /etc/apf/vnet/vnetgen
apf.noarch: E: non-readable /etc/apf/internals/compat.0.9.5 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/compat.0.9.5
apf.noarch: E: non-readable /etc/apf/internals/internals.conf 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/internals.conf
apf.noarch: E: non-readable /etc/apf/sysctl.rules 0640L
apf.noarch: E: non-readable /etc/apf/extras/dshield/dshield-3.2.tar.gz 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/dshield-3.2.tar.gz
apf.noarch: E: non-readable /etc/apf/internals/icmp.types 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/icmp.types
apf.noarch: E: non-readable /etc/apf/internals/functions.apf 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/functions.apf
apf.noarch: E: non-executable-script /etc/apf/internals/functions.apf 0640L /bin/bash
apf.noarch: E: non-readable /etc/apf/vnet/main.vnet 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/main.vnet
apf.noarch: E: non-readable /etc/apf/preroute.rules 0640L
apf.noarch: E: non-readable /etc/apf/internals/rab.ports 0640L
apf.noarch: W: non-conffile-in-etc /etc/apf/internals/rab.ports
apf.noarch: W: no-manual-page-for-binary apf
apf.noarch: W: no-manual-page-for-binary fwmgr
apf.noarch: E: subsys-not-used /etc/init.d/apf
1 packages and 0 specfiles checked; 49 errors, 20 warnings.

More to come.
Comment 8 Nick Bebout 2010-07-25 15:59:50 EDT
I don't believe most of those errors actually have to be fixed, but I'm researching this more
Comment 9 Martin Gieseking 2010-10-05 03:37:11 EDT
I've sponsored Mark, hence removing FE-NEEDSPONSOR.
Comment 10 Jason Tibbitts 2010-11-23 13:15:45 EST
I asked Nick on IRC and he indicated that he'd try to get back to this ticket.
Comment 11 Jason Tibbitts 2011-01-08 13:53:06 EST
Doesn't look like that ever happened.

Before I agitate some more, I should ask if Mark is still interested in submitting this package.

Just to make a useful comment, I'd say that several of those rpmlint complaints bear closer inspection.  The whole "put a pile of stuff under /etc/apf" doesn't seem very clean at all.  I know the (non systemd) init system puts executables there, and there's the whole /etc/sysconfig/network-scripts mess, but that doesn't mean that new packages should come along and drop a bunch of executables in /etc.  And documentation really doesn't seem to belong in there at all.
Comment 12 Mark McKinstry 2011-01-17 20:35:25 EST
(In reply to comment #11)
> Doesn't look like that ever happened.
> 
> Before I agitate some more, I should ask if Mark is still interested in
> submitting this package.

I really don't have the time. The author has an unusual way of packaging his
stuff which doesn't fit well with Fedora. While its possible to change it around
and reduce the rpmlint complaints, I don't have the time necessary to do so.

> Just to make a useful comment, I'd say that several of those rpmlint complaints
> bear closer inspection.  The whole "put a pile of stuff under /etc/apf" doesn't
> seem very clean at all.  I know the (non systemd) init system puts executables
> there, and there's the whole /etc/sysconfig/network-scripts mess, but that
> doesn't mean that new packages should come along and drop a bunch of
> executables in /etc.  And documentation really doesn't seem to belong in there
> at all.

If anyone wants to pick this up, internals/internals.conf is where you'd have to
change some stuff but some custom patching will probably still be required. I'm
working on another of his packages that has another unusual layout, its
possible to make it fit in Fedora but its not easy.
Comment 13 Jason Tibbitts 2011-01-19 15:48:12 EST
No problem, I'll close this out.

Note You need to log in before you can comment on or make changes to this bug.