Bug#551950: [Shorewall-users] shorewall6: multiple providers generate errors at compile-time

Vincent Danjean Fri, 23 Oct 2009 13:07:21 -0700

tag 551950 +patch,upstream,fixed-upstream
thanks

Tom Eastep wrote:
> Vincent Danjean wrote:
> 
>>   I let the initial bug report to Debian below (it can also be seen at
>> http://bugs.debian.org/551950 ). It explains that I think that
>> detect_configuration() is never called.
> 
> Attached is an updated copy of /usr/share/shorewall/Perl/prog.footer6
> that should correct that problem.


Thanks. After diffing the file and the one on my system, I only take the
lines with detect_configuration (your file also delete all function definition
that you move to prog.header6 according to you git history).
  I put the patch I applied in attachment for the debian bug.
  This solve this bug (but I'm stopped by the next one, see below)

>> PPS: you might want to know that the iproute bug #551937 
>> (http://bugs.debian.org/551937)
>> also prevent Multi IPv6 ISP from working.
>> And http://lists.debian.org/debian-devel/2009/10/msg00472.html show yet 
>> another problem
>> (but I do not know yet if the latter is a shorewall6 bug or another package 
>> bug)

For the last bug, looking at ifupdown sources, it seems that the bug (adding 
via ::)
comes from either the 'ip' command or the kernel.  Or this is not a bug and 
shorewall6
should take care of this syntax.
  You can try on any host:
eyak:~# ip -6 route ls dev tun6to4
Cannot find device "tun6to4"
eyak:~# ip tunnel add tun6to4 mode sit remote  192.88.99.1 local 192.168.0.1
eyak:~# ip -6 route ls dev tun6to4
eyak:~# ip link set tun6to4 up
eyak:~# ip -6 route ls dev tun6to4
fe80::/64 via ::  proto kernel  metric 256  mtu 1480 advmss 1420 hoplimit 
4294967295
eyak:~# ip addr add 2002:0101:0101::1/64 dev tun6to4
eyak:~# ip -6 route ls dev tun6to4
2002:101:101::/64 via ::  proto kernel  metric 256  mtu 1480 advmss 1420 
hoplimit 4294967295
fe80::/64 via ::  proto kernel  metric 256  mtu 1480 advmss 1420 hoplimit 
4294967295
eyak:~#
  You can see that all route added by ip due to other commands (ie not "ip 
route")
lead to a route with "via ::". I'm under the impression that these routes are 
added
automatically by the kernel, not by the ip utility itself.
  So, I do not know how you want to deal with this (and I do not know IPv6 in 
linux
enough to know the right answer here). A workaround is to add something like
"|sed 's/ via :: / /'" when you get the routes. But I do not know if all "via 
::"
can really be suppressed in routes.

  Regards,
    Vincent

> Thanks,
> -Tom

Some more tests to see the difference between routes automatically added and
route manually added (I'm not able to interpret the results I get, I just see
the differences):
eyak:~# cat /proc/net/ipv6_route  | grep tun6to4
20020101010100000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00200001  tun6to4
fe800000000000000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00200001  tun6to4
ff000000000000000000000000000000 08 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00000001  tun6to4
eyak:~# ip -6 route ls dev tun6to4
2002:101:101::/64 via ::  proto kernel  metric 256  mtu 1480 advmss 1420 
hoplimit 4294967295
fe80::/64 via ::  proto kernel  metric 256  mtu 1480 advmss 1420 hoplimit 
4294967295
eyak:~# ip -6 route del 2002:101:101::/64 via ::  proto kernel  metric 256  mtu 
1480 advmss 1420 hoplimit 4294967295
eyak:~# ip -6 route add 2002:101:101::/64 via :: dev tun6to4 proto kernel  
metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
RTNETLINK answers: Invalid argument
eyak:~# ip -6 route add 2002:101:101::/64 dev tun6to4 proto kernel  metric 256  
mtu 1480 advmss 1420 hoplimit 4294967295
eyak:~# cat /proc/net/ipv6_route  | grep tun6to4
20020101010100000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00000001  tun6to4
fe800000000000000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00200001  tun6to4
ff000000000000000000000000000000 08 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00000001  tun6to4
eyak:~# ip -6 route add 2002:101:101::/64 dev tun6to4 via 2002:101:101::3 proto 
kernel  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
eyak:~# cat /proc/net/ipv6_route  | grep tun6to4
20020101010100000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000001 00000001  tun6to4
20020101010100000000000000000000 40 00000000000000000000000000000000 00 
20020101010100000000000000000003 00000100 00000000 00000000 00000003  tun6to4
fe800000000000000000000000000000 40 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00200001  tun6to4
ff000000000000000000000000000000 08 00000000000000000000000000000000 00 
00000000000000000000000000000000 00000100 00000000 00000000 00000001  tun6to4
eyak:~#

-- 
Vincent Danjean       GPG key ID 0x9D025E87         [email protected]
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

--- prog.footer6        2009-10-19 15:05:16.000000000 +0200
+++ /tmp/prog.footer6   2009-10-23 21:04:08.000000000 +0200
@@ -328,6 +90,7 @@
                status=0
            else
                progress_message3 "Starting $PRODUCT...."
+               detect_configuration
                define_firewall
                status=$?
                [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -337,6 +100,7 @@
        stop)
            [ $# -ne 1 ] && usage 2
            progress_message3 "Stopping $PRODUCT...."
+           detect_configuration
            stop_firewall
            status=0
            [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -379,6 +143,7 @@
                progress_message3 "Starting $PRODUCT...."
            fi
 
+           detect_configuration
            define_firewall
            status=$?
            if [ -n "$SUBSYSLOCK" ]; then
@@ -390,6 +155,7 @@
            [ $# -ne 1 ] && usage 2
            if shorewall6_is_started; then
                progress_message3 "Refreshing $PRODUCT...."
+               detect_configuration
                define_firewall
                status=$?
                progress_message3 "done."
@@ -400,6 +166,7 @@
            ;;
        restore)
            [ $# -ne 1 ] && usage 2
+           detect_configuration
            define_firewall
            status=$?
            if [ -n "$SUBSYSLOCK" ]; then

Bug#551950: [Shorewall-users] shorewall6: multiple providers generate errors at compile-time

Reply via email to