lfw

I recently had cause to configure 802.1Q VLAN support on a system using the
rc.firewall script, and encountered what I believe to be a bug…

When using 802.1Q VLAN support you end up with a number of virtual
interfaces that may be configured with different addresses etc. each
interface name consists of the original interface’s name a period ‘.’
and then a number (starting from 1). So, for example, configuring a virtual
interface on eth0, will result in two interfaces, “eth0” and
“eth0.1” to be present on the system.

I think that there is a bug in the code that attempts to “Obtain list of
external interfaces.” On a system configured with VLAN interfaces
$INTERFACE, which contains the name of each interface in the system on a
separate line, will for example contain:-

eth0
eth0.1

If the firewall configuration involves having eth0 as one of the internal
interfaces, i.e. $INTERNAL_INTERFACES contains “eth0”, then the
lines:-

for INTERFACE in $INTERNAL_INTERFACES; do
EXTERNAL_INTERFACES=`echo "$EXTERNAL_INTERFACES" | sed s/^$INTERFACE//`
done

which I believe are attempting to remove any interfaces present in the
$INTERNAL_INTERFACES variable (a list of interfaces to be configured as
internal) from the $EXTERNAL_INTERFACES variable will result in the
$EXTERNAL_INTERFACES variable containing “.1”. This is because the sed
command is matching all occurrences of “eth0” at the beginning of a
line and removing them.

I found that adding a ‘$’ to the end of the sed regular expression
(which asks sed to match the search string to be at the end of the line (in
addition to the ‘^’ which requests sed to match the search string from
the beginning of the line) results in the desired behaviour.

Please see attached “vlan.patch” which implements this change (along
with a typo fix in the help I noticed).