View previous topic :: View next topic |
Author |
Message |
elover Apprentice
Joined: 20 Nov 2019 Posts: 159 Location: Spain
|
Posted: Sat Feb 20, 2021 11:28 am Post subject: New firewall module in kde |
|
|
Hi, I am using ufw as a firewall. But activating it plasma shows me the error that it does not find the active service. From the error message it is org.freedesktop.systemd1, but I don't use systemd as init. |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 8938
|
Posted: Sat Feb 20, 2021 11:36 am Post subject: |
|
|
Looks like the only way that KCM is currently using to check if service is running is systemctl from systemd. |
|
Back to top |
|
|
elover Apprentice
Joined: 20 Nov 2019 Posts: 159 Location: Spain
|
Posted: Sat Feb 20, 2021 5:37 pm Post subject: |
|
|
It's getting very invasive sytemd already. Too bad for the community.
Thanks for the help |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2038 Location: United Kingdom
|
Posted: Sat Feb 20, 2021 6:10 pm Post subject: |
|
|
Presumably the systemd-specific code (see below) could be patched for OpenRC?
https://invent.kde.org/plasma/plasma-firewall/-/blob/master/kcm/backends/ufw/ufwclient.cpp
Code: | bool UfwClient::isCurrentlyLoaded() const
{
QProcess process;
const QString name = "systemctl";
const QStringList args = {"status", "ufw"};
process.start(name, args);
process.waitForFinished();
// systemctl returns 0 for status if the app is loaded, and 3 otherwise.
qDebug() << "Ufw is loaded?" << (process.exitCode() == EXIT_SUCCESS);
return process.exitCode() == EXIT_SUCCESS;
} |
Could the above snippet from ufwclient.cpp be replaced with something along the following lines:?
Code: | bool UfwClient::isCurrentlyLoaded() const
{
QProcess process;
const QString name = "rc-service";
const QStringList args = {"--exists", "ufw"};
process.start(name, args);
process.waitForFinished();
// "rc-service --exists" returns 0 for status if the app is loaded, and -1 otherwise.
qDebug() << "Ufw is loaded?" << (process.exitCode() == EXIT_SUCCESS);
return process.exitCode() == EXIT_SUCCESS;
} |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC systemd-utils[udev] elogind KDE on both.
My blog |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 8938
|
Posted: Sat Feb 20, 2021 6:16 pm Post subject: |
|
|
Yes, but:
Code: | $ grep -Rli systemd
kcm/backends/firewalld/CMakeLists.txt
kcm/backends/firewalld/systemdjob.h
kcm/backends/firewalld/systemdjob.cpp
kcm/backends/firewalld/firewalldclient.cpp
kcm/backends/ufw/helper/helper.cpp |
So realistically, ufw backend could be patched with reasonable effort - in ufw/helper/helper.cpp there is some system log fetching (and maybe parsing) going on. |
|
Back to top |
|
|
thumper Guru
Joined: 06 Dec 2002 Posts: 552 Location: Venice FL
|
Posted: Sat Mar 06, 2021 11:37 pm Post subject: |
|
|
Is this issue being addressed by the anyone or are we on our own to fix or ignore?
George |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2038 Location: United Kingdom
|
Posted: Sun Mar 07, 2021 9:10 pm Post subject: |
|
|
thumper,
I suspect users who do not have systemd installed are on their own as far as plasma-firewall is concerned.
Anyway, it should be straightforward to create a patch for ufwclient.cpp (see my previous post). The other file in plasma-firewall that relates to UFW and requires systemd is helper.cpp:
https://invent.kde.org/plasma/plasma-firewall/-/blob/master/kcm/backends/ufw/helper/helper.cpp
I think the following function in helper.cpp is the only part of the file that would need patching:
Code: | QStringList getLogFromSystemd(const QString &lastLine)
{
QString program = "journalctl";
QStringList arguments {"-xb","-n", "100","-g", "UFW"};
QProcess myProcess;
myProcess.start(program, arguments);
myProcess.waitForFinished();
auto resultString = QString(myProcess.readAllStandardOutput());
auto resultList = resultString.split("\n");
// Example Line from Systemd:
// Dec 06 17:42:45 tomatoland kernel: [UFW BLOCK] IN=wlan0 OUT= MAC= SRC=192.168.50.181 DST=224.0.0.252 LEN=56 TOS=0x00
// PREC=0x00 TTL=255 ID=52151 PROTO=UDP SPT=5355 DPT=5355 LEN=36
// We need to remove everything up to the space after ']'.
QStringList result;
for(const QString& line : resultList) {
if (!lastLine.isEmpty() && line == lastLine) {
result.clear();
continue;
}
result.append(line);
}
return result;
} |
No single program for parsing syslog-ng logfiles corresponds to 'journalctl -xb -n 100 -g UFW', but a hack would possibly be to create a bash script and create a second patch to change the function's code in helper.cpp to something like the following:
Code: | QStringList getLogFromSystemd(const QString &lastLine)
{
QString program = "print_ufw_messages";
QStringList arguments {"UFW", "100"};
QProcess myProcess;
myProcess.start(program, arguments);
myProcess.waitForFinished();
auto resultString = QString(myProcess.readAllStandardOutput());
auto resultList = resultString.split("\n");
// Example line from /var/log/messages populated by sylog-ng:
// Mar 6 00:10:19 localhost kernel: [UFW BLOCK] IN=wlan0 OUT= MAC=00:12:5b:8a:83:6d:b7:2a:da:59:d4:10:09:00 SRC=192.168.1.27
// DST=192.168.1.139 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41659 DF PROTO=TCP SPT=445 DPT=52140 WINDOW=260 RES=0x00 ACK URGP=0
// We need to remove everything up to the space after ']'.
QStringList result;
for(const QString& line : resultList) {
if (!lastLine.isEmpty() && line == lastLine) {
result.clear();
continue;
}
result.append(line);
}
return result;
} |
where the program print_ufw_messages is a user-created Bash script /usr/bin/print_ufw_messages (-rwxr-xr-x root.root) containing:
Code: | #!/bin/bash
awk '{if (/localhost syslog-ng/ && /syslog-ng starting up/ && !/COMMAND/) {chunk=""} else {chunk=chunk $0 RS}} END {printf "%s", chunk}' /var/log/messages | grep "$1" | head -n "$2" | grep -v print_ufw_messages |
I don't use firewalld, and have not bothered looking at the plasma-firewall source code to handle firewalld.
I have not created and tested the proposed patches for ufwclient.cpp and helper.cpp so I am not sure if the resulting binary would actually work for UFW.
EDIT1: Added ' | grep -v print_ufw_messages' to command in Bash script.
EDIT2: Fixed the awk command, as it was not finding the last bootup. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC systemd-utils[udev] elogind KDE on both.
My blog
Last edited by Fitzcarraldo on Mon Mar 08, 2021 5:59 pm; edited 2 times in total |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2014
|
Posted: Mon Mar 08, 2021 8:59 am Post subject: |
|
|
Or someone could revive kcm-ufw, which died with one of the KDE version changes. _________________ Greybeard |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2038 Location: United Kingdom
|
Posted: Mon Mar 08, 2021 10:28 am Post subject: |
|
|
Hopefully the steps to create a patch for both files (for UFW only, not firewalld), apply the patch and re-merge plasma-firewall would be as follows:
Code: | # wget https://invent.kde.org/plasma/plasma-firewall/-/archive/master/plasma-firewall-master.tar.gz
# tar -xzf plasma-firewall-master.tar.gz
# cp -pr plasma-firewall-master a
# cp -pr plasma-firewall-master b
# nano b/kcm/backends/ufw/ufwclient.cpp # Apply changes shown in my first post.
# nano b/kcm/backends/ufw/helper/helper.cpp # Apply changes shown in my second post.
# nano b/kcm/backends/ufw/ufwlogmodel.cpp # Apply changes shown in this third post.
# diff -ruN a b > plasma-firewall-5.21.2-ufw.patch
# nano /usr/bin/print_ufw_messages # Create Bash script shown in my second post.
# chmod +x /usr/bin/print_ufw_messages
# mkdir -p /etc/portage/patches/kde-plasma/plasma-firewall-5.21.2
# cp plasma-firewall-5.21.2-ufw.patch /etc/portage/patches/kde-plasma/plasma-firewall-5.21.2/
# emerge -1v plasma-firewall |
I have not tried the above myself yet, but will do so when I get the time, just out of curiosity.
EDIT1: I have found a bug in the plasma-firewall source code file ufwlogmodel.cpp:
https://invent.kde.org/plasma/plasma-firewall/-/blob/master/kcm/backends/ufw/ufwlogmodel.cpp
Line 37 is currently:
Code: | for (const QString& key : {"IN", "SRC", "DST", "PROTO", "STP", "DPT"}) { |
but it should be:
Code: | for (const QString& key : {"IN", "SRC", "DST", "PROTO", "SPT", "DPT"}) { |
i.e. "STP" needs to be changed to "SPT".
Therefore I have added a step to the procedure above.
EDIT2: I am not sure if this makes a difference to plasma-firewall (which is coded assuming systemd is installed), but the default date format for messages in /var/log/messages printed by syslog-ng only has one digit in the day of the month when it is less than the 10th day of the month. For example:
Code: | Mar 9 03:09:39 clevow230ss syslog-ng[23735]: syslog-ng starting up; version='3.30.1' |
However, systemd-journalctl always outputs two-digit days of the month, and I think (but am not certain) the following date format might be needed in order for the existing code in plasma-firewall/kcm/backends/ufw/ufwlogmodel.cpp to parse the syslog-ng output correctly:
Code: | Mar 09 03:09:39 clevow230ss syslog-ng[23735]: syslog-ng starting up; version='3.30.1' |
Therefore I edited /etc/syslog-ng/syslog-ng.conf and added a template:
Code: | template template_date_format {
template("${MONTH_ABBREV} ${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n");
template_escape(no);
}; |
and changed the line:
Code: | destination messages { file("/var/log/messages"); }; |
to:
Code: | destination messages { file("/var/log/messages" template(template_date_format)); }; |
Then I restarted syslog-ng:
Code: | $ sudo rc-service syslog-ng restart
* Stopping syslog-ng ... [ ok ]
* Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... [ ok ]
* Starting syslog-ng ... [ ok ] |
From now on the day of the month is always two digits: 01, 02,...31. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC systemd-utils[udev] elogind KDE on both.
My blog |
|
Back to top |
|
|
thumper Guru
Joined: 06 Dec 2002 Posts: 552 Location: Venice FL
|
Posted: Sun Jun 04, 2023 1:37 am Post subject: |
|
|
Fitzcarraldo,
Thank you for the files to patch information, the current version has some changes that a cut and paste would have broken something, so I edited in the changes and here is a patch if it is of value, it patches fine.
I'm still working on the logs display, I use rsyslog at the moment, I have the output almost identical, but thats another issue
George
Code: | # cat plasma-firewall-5.27.5-ufw.patch
diff -ruN a/kcm/backends/ufw/helper/helper.cpp b/kcm/backends/ufw/helper/helper.cpp
--- a/kcm/backends/ufw/helper/helper.cpp 2023-05-09 07:38:12.000000000 -0400
+++ b/kcm/backends/ufw/helper/helper.cpp 2023-05-30 21:25:04.313272769 -0400
@@ -79,7 +79,7 @@
QStringList getLogFromSystemd(const QString &lastLine)
{
- QString program = QStringLiteral("journalctl");
+ QString program = QStringLiteral("print_ufw_messages");
QStringList arguments{"-xb", "-n", "100", "-g", "UFW"};
QProcess myProcess;
diff -ruN a/kcm/backends/ufw/ufwclient.cpp b/kcm/backends/ufw/ufwclient.cpp
--- a/kcm/backends/ufw/ufwclient.cpp 2023-05-09 07:38:12.000000000 -0400
+++ b/kcm/backends/ufw/ufwclient.cpp 2023-05-30 21:22:01.850795627 -0400
@@ -668,13 +668,13 @@
bool UfwClient::isCurrentlyLoaded() const
{
QProcess process;
- const QString pname = "systemctl";
- const QStringList args = {"status", "ufw"};
+ const QString pname = "rc-service";
+ const QStringList args = {"--exists", "ufw"};
process.start(pname, args);
process.waitForFinished();
- // systemctl returns 0 for status if the app is loaded, and 3 otherwise.
+ // rc-service --exists" returns 0 if the app is loaded, and -1 otherwise.
qCDebug(UFWClientDebug) << "Ufw is loaded?" << (process.exitCode() == EXIT_SUCCESS);
return process.exitCode() == EXIT_SUCCESS;
diff -ruN a/kcm/backends/ufw/ufwlogmodel.cpp b/kcm/backends/ufw/ufwlogmodel.cpp
--- a/kcm/backends/ufw/ufwlogmodel.cpp 2023-05-09 07:38:12.000000000 -0400
+++ b/kcm/backends/ufw/ufwlogmodel.cpp 2023-05-30 22:09:53.698776529 -0400
@@ -37,7 +37,7 @@
splited.erase(std::begin(splited), std::begin(splited) + 7);
for (const QString &element : qAsConst(splited)) {
for (const QString &key :
- {QStringLiteral("IN"), QStringLiteral("SRC"), QStringLiteral("DST"), QStringLiteral("PROTO"), QStringLiteral("STP"), QStringLiteral("DPT")}) {
+ {QStringLiteral("IN"), QStringLiteral("SRC"), QStringLiteral("DST"), QStringLiteral("PROTO"), QStringLiteral("SPT"), QStringLiteral("DPT")}) {
if (element.startsWith(key)) {
results[key] = element.mid(element.indexOf('=') + 1);
} |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|