I've decided to make a clean break as the AUTOMAKE thread was getting a
bit off-topic. These are my findings so far:
1. During boot, when the OS is bringing my loopback interface up I am
getting the following messages:
Bringing up loopback interface: SIOCADDRT: Network is unreachable
SIOCADDRT: Network is unreachable
This started happening since my shorewall-init installation. Looking at
the logs, there isn't anything there, which points to something being
wrong. I do have 3 separate lo:{1,2,3} "devices" though - don't know if
that is causing the ifupdown to moan. The relevant messages I am getting
are:
2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing
/var/lib//shorewall/firewall -V0 up lo
Shorewall up triggered by lo
Shorewall attempting start
ERROR: Can't determine the IP address of eth0: Firewall state not changed
/var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
ERROR: Required interface eth0 not available: Firewall state not changed
/var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
2. during system-triggered 'up' event, I get this:
cp: `/var/lib/shorewall/firewall' and `/var/lib/shorewall/firewall' are
the same file
3. /etc/shorewall changes not detected by shorewall when running
together with shorewall-init. This happens when the following sequence
is executed:
1. changing shorewall.conf (or anything in /etc/shorewall)
2. reboot
3. OS eth0 brought up -> ifup-local triggers and it starts shorewall by
executing the firewall file in /var/lib/shorewall
4. the shorewall service isn't starting as it determines that shorewall
is already running
maybe a solution to this would be for shorewall-init to run something
like "shorewall check-updated" to see whether anything in /etc/shorewall
has been changed and if so to execute "shorewall compile".
4. shorewall-init sysv script errors and additions - see patch attached.
I've also added a few things which I found useful.
--- a/init.fedora.sh
+++ b/init.fedora.sh
@@ -45,10 +45,9 @@
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
- if [ ! -x $STATEDIR/firewall ]; then
- if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile
+ if [ ! -x "${STATEDIR}/firewall" ]; then
+ if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+ ${SBINDIR}/$PRODUCT $OPTIONS compile
fi
fi
}
@@ -65,23 +64,24 @@
fi
echo -n "Initializing \"Shorewall-based firewalls\": "
+ retval=0
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ ! -x ${VARDIR}/firewall ]; then
- if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile
+ if [ ! -x "${STATEDIR}/firewall" ]; then
+ if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+ ${SBINDIR}/$PRODUCT $OPTIONS compile
fi
fi
- if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
- ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
+ if [ -x "${STATEDIR}/firewall" ]; then
+ ${STATEDIR}/firewall stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
fi
done
- if [ retval -eq 0 ]; then
+ if [ $retval -eq 0 ]; then
touch $lockfile
success
else
@@ -97,23 +97,24 @@
local vardir
echo -n "Clearing \"Shorewall-based firewalls\": "
+ retval=0
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ ! -x ${VARDIR}/firewall ]; then
- if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile
+ if [ ! -x "${STATEDIR}/firewall" ]; then
+ if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+ ${SBINDIR}/$PRODUCT $OPTIONS compile
fi
fi
- if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
- ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
+ if [ -x "${STATEDIR}/firewall" ]; then
+ ${STATEDIR}/firewall clear 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
fi
done
- if [ retval -eq 0 ]; then
+ if [ $retval -eq 0 ]; then
rm -f $lockfile
success
else
--- a/ifupdown.fedora.sh
+++ b/ifupdown.fedora.sh
@@ -22,6 +22,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
#
+# Get startup options (override default)
+OPTIONS=
+
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -30,9 +33,9 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
- if [ ! -x $STATEDIR/firewall ]; then
- if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT compile
+ if [ ! -x "$STATEDIR/firewall" ]; then
+ if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+ ${SBINDIR}/$PRODUCT $OPTIONS compile
fi
fi
}
@@ -99,8 +102,9 @@
for PRODUCT in $PRODUCTS; do
setstatedir
- if [ -x $VARLIB/$PRODUCT/firewall ]; then
- ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE
2>&1 ) || true
+ if [ -x "$STATEDIR/firewall" ]; then
+ echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall
$OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
+ ( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 )
|| true
fi
done
--- a/sysconfig
+++ b/sysconfig
@@ -21,3 +21,6 @@
#
LOGFILE=/var/log/shorewall-ifupdown.log
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
