On 04/15/2013 10:47 AM, Louis Lagendijk wrote: > On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote: >> On 4/12/13 2:22 PM, "Louis Lagendijk" <[email protected]> wrote: >> >>> >>> hello Tom, >>> After playing with shorewall-init a bit more, I have some more issues: >>> >>> 1) shorewall6: accept_ra does not get restored when the network is >>> restarted. A shorewall restart fixes that. I would have expected >>> ifup-local to perform the same settings as a shorewall restart does. Am >>> I missing something? >>> I hve traced the problem to interface_is_usable() in the firewall script: >>> it uses find_first_interface_address_if_any() that returns no address >>> assigned yet as it needs a router advertisement to do so. All >>> interfaces on my machine have that problem as I am using the wide >>> dhcpv6 client to retrieve a prefix delegation from the modem on the >>> interface that has accept_ra set. Would it be possible to remove >>> the test for the interface address? >> >> That same code gets executed during start/restart. Look at the function >> detect_configuration() in the generated firewall script; that gets called >> for start/restart and for enable. So I don't believe that is the root >> cause of your problem. > > Thanks for the pointer Tom. What happens at a shorewall start (for > firewall start) is that define_firewall gets called that sets the > forwarding and accept_ra unconditionally. Function define_firewall() get > called at an "up" event ONLY when the firewall was not started before > (from updown() ). In case of an "up" event when the firewall is > started, we then check for a non-link local address being defined (which > is not the case) and we skip the setting of the forward and accept_ra > proc/sys variables.... I am not sure what to suggest, but there is some > inconsistency here that does cause forwarding and accept_ra not to be > set in case of an "up" event (if the firewall is not started before) and > just (re)starting the firewall.
Are you using entries in /etc/shorewall6/providers or are you just defining these interfaces to be 'optional' in /etc/shorewall6/interfaces? > > Another question that is just about consistency but does not affect > operation: what is the reason that accept_ra is set from > setup_common_rules() while forwarding is set from the body of > define_firewall()? Just curious.... They are handled in different functions for historical reasons and the two functions are called at different points in the start flow. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
