On 05/06/2013 10:15 AM, Dash Four wrote:
>
> Tom Eastep wrote:
>> On 05/05/2013 10:17 AM, Dash Four wrote:
>>
>>> I've decided to make a clean break as the AUTOMAKE thread was getting a
>>> bit off-topic. These are my findings so far:
>>>
>>> 1. During boot, when the OS is bringing my loopback interface up I am
>>> getting the following messages:
>>>
>>> Bringing up loopback interface: SIOCADDRT: Network is unreachable
>>> SIOCADDRT: Network is unreachable
>>>
>>> This started happening since my shorewall-init installation. Looking at
>>> the logs, there isn't anything there, which points to something being
>>> wrong. I do have 3 separate lo:{1,2,3} "devices" though - don't know if
>>> that is causing the ifupdown to moan. The relevant messages I am getting
>>> are:
>>>
>>> 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing
>>> /var/lib//shorewall/firewall -V0 up lo
>>> Shorewall up triggered by lo
>>> Shorewall attempting start
>>> ERROR: Can't determine the IP address of eth0: Firewall state not changed
>>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
>>> ERROR: Required interface eth0 not available: Firewall state not changed
>>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process
>>>
>>
>> Why don't you simply specify 'ignore' on the lo devices? That is what
>> 'ignore' was invented for.
>>
> No, I can't do that - lo is 'required' as I have stuff which depends on
> it, so this device must be up when the system starts. What is rather
> baffling is the message I am getting. Could this be fixed?I have no idea why it is happening. >>> 3. /etc/shorewall changes not detected by shorewall when running >>> together with shorewall-init. >>> >> >> That's intentional. If you want Shorewall-init to use updated files, >> then you must issue a 'shorewall compile' command. Imagine the chaos if >> you were in the middle of updating your config and suddenly >> Shorewall-init compiled whatever the current state of the config was and >> tried to run it. >> > I see your point and is a good one. > > Perhaps another alternative could be implemented since the problem > arises only on reboot. Currently, I have shorewall-init as a service > disabled, simply because ifupdown-local usually takes care of > everything. However, if you implement "shorewall check-update" (or any > other suitable alternative) which produces a "yes/no" result when > recompilation is needed (even if it is through the exit code), then the > shorewall-init startup script/service could use that to see whether > "shorewall compile" needs to be executed (that would be in addition to > the usual checks for the "firewall" executable) and do so accordingly. > > Since shorewall-init (as a service) usually starts before anything (even > before any of the network devices have been brought up), then it can > detect whether changes were made and recompile the firewall file, > ifupdown-local then picks it up and - voila, job done. How's that? That could be done. How about an option on the 'compile' command that 'compiles if needed'? That way, the SysV init scripts could unconditionally compile with that option. > >>> 4. shorewall-init sysv script errors and additions - see patch attached. >>> I've also added a few things which I found useful. >>> >> >> I'll take a look - Thanks. >> > Pleasure. Applied. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
