[Shorewall-devel] Shorewall6 startup issue on iproute2 4.3.0

[Paul Gear]

Hi all,

I upgraded my laptop from Ubuntu 15.10 to 16.04 today, which brought
with it an upgrade to Shorewall 5.0.4.  This version doesn't start
completely correctly on my system, resulting in the following output on
restart:

root@localhost:~# shorewall6 restart
Compiling using Shorewall6 5.0.4...
Shorewall configuration compiled to /var/lib/shorewall6/.restart
Stopping Shorewall6....
/var/lib/shorewall6/.restart: 772: [: Illegal number: <my IPv6 OpenVPN
address>
done.
Starting Shorewall6....
/var/lib/shorewall6/.restart: 772: [: Illegal number: <my IPv6 OpenVPN
address>
done.

I narrowed this down to a change in the output of ip.  Ubuntu 16.04
ships with iproute2 4.3.0, which changes the output format of tun
interfaces to remove the netmask from the local IPv6 address.  Here's a
simplistic patch to fix:

diff --git a/Shorewall/Perl/lib.runtime b/Shorewall/Perl/lib.runtime
index 5bb83bd..abb32f7 100644
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed
's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed
's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 
 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed
's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed
's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 
 #

The issue seems to be mostly cosmetic, as the resulting changes are
minor rules in the reject and Broadcast chains which don't appear to be
applicable to IPv6, and won't ever likely be hit.

As an aside, 'shorewall6 status' produces no output, whereas 'shorewall
status' produces the expected "Shorewall is running" message.  Not sure
if this difference has been there for a long time or not...

Regards,
Paul


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel