Tom Eastep wrote:
> On 05/05/2013 10:17 AM, Dash Four wrote:
>
>> I've decided to make a clean break as the AUTOMAKE thread was getting a
>> bit off-topic. These are my findings so far:
>>
>> 1. During boot, when the OS is bringing my loopback interface up I am
>> getting the following messages:
>>
>> Bringing up loopback interface: SIOCADDRT: Network is unreachable
>> SIOCADDRT: Network is unreachable
>>
>> This started happening since my shorewall-init installation. Looking at
>> the logs, there isn't anything there, which points to something being
>> wrong. I do have 3 separate lo:{1,2,3} "devices" though - don't know if
>> that is causing the ifupdown to moan. The relevant messages I am getting
>> are:
>>
>> 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing
>> /var/lib//shorewall/firewall -V0 up lo
>> Shorewall up triggered by lo
>> Shorewall attempting start
>> ERROR: Can't determine the IP address of eth0: Firewall state not changed
>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
>> ERROR: Required interface eth0 not available: Firewall state not changed
>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
>>
>
> Why don't you simply specify 'ignore' on the lo devices? That is what
> 'ignore' was invented for.
>
No, I can't do that - lo is 'required' as I have stuff which depends on
it, so this device must be up when the system starts. What is rather
baffling is the message I am getting. Could this be fixed?
>> 2. during system-triggered 'up' event, I get this:
>> cp: `/var/lib/shorewall/firewall' and `/var/lib/shorewall/firewall' are
>> the same file
>>
>>
>
> The attached pair of patches should correct that problem.
>
I'll have a chance to test this in the coming days, thanks Tom.
>> 3. /etc/shorewall changes not detected by shorewall when running
>> together with shorewall-init.
>>
>
> That's intentional. If you want Shorewall-init to use updated files,
> then you must issue a 'shorewall compile' command. Imagine the chaos if
> you were in the middle of updating your config and suddenly
> Shorewall-init compiled whatever the current state of the config was and
> tried to run it.
>
I see your point and is a good one.
Perhaps another alternative could be implemented since the problem
arises only on reboot. Currently, I have shorewall-init as a service
disabled, simply because ifupdown-local usually takes care of
everything. However, if you implement "shorewall check-update" (or any
other suitable alternative) which produces a "yes/no" result when
recompilation is needed (even if it is through the exit code), then the
shorewall-init startup script/service could use that to see whether
"shorewall compile" needs to be executed (that would be in addition to
the usual checks for the "firewall" executable) and do so accordingly.
Since shorewall-init (as a service) usually starts before anything (even
before any of the network devices have been brought up), then it can
detect whether changes were made and recompile the firewall file,
ifupdown-local then picks it up and - voila, job done. How's that?
>> 4. shorewall-init sysv script errors and additions - see patch attached.
>> I've also added a few things which I found useful.
>>
>
> I'll take a look - Thanks.
>
Pleasure.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
