------- Forwarded message follows ------- From: [email protected] To: [email protected] Date sent: Thu, 19 May 2016 09:10:21 +0200 Subject: [Shorewall-users] Shorewall-lite on OpenWRT Send reply to: Shorewall Users <[email protected]> <mailto:[email protected]?subject=unsubscribe> <mailto:[email protected]?subject=subscribe>
Hi there, I use Shorewall on an OpenWRT distribution and I experience 2 problems. I have solved them myself and report them here to help others with it. Shorewall version: shorewall[6]-lite 5.0.4 OpenWRT version: Chaos Calmer 15.05, r46767 Problem 1: Shorewall uses the lock utility from openwrt. I believe it is used in the wrong way. File lib.common line 775 First it passes arguments which the utility doesn't use/know. The util accepts them dumbly and continues to create a lockfile. It has no time-out functionality. I do not know the meaning of the r1 argument. Second the mutex_off simply deletes the lockfile by using the utility rm. This way a stale lock process keeps running. After a while the router is running a high number of stale processes which has impact on the load of the router. The correct way is to use "lock -u /lib/shorewall-lite/lock". This way the lockfile will be removed and the process will be terminated accordingly. To make it work for me, I no more let shorewall use the lock utility by using an ugly hack. Problem 2: An fgrep on the output of the type utility is wrongly coded. The output of the type command probably has been changed. File lib.cli line 4343 It is coded: "if type $1 2> /dev/null | fgrep -q 'is a function'; then" To make it work for me, it should be coded: "if type $1 2> /dev/null | fgrep -q 'is a shell function'; then" With regards, Stefan ------- End of forwarded message ------- Tom, attached as code.patch, are the patches that I believe will correct those issues In addition to those patches I've also added 3 patches: - Patch 1 will emulate the -p flag of the ps utility which is not available on openwrt. - The last two patches will add "file" to the progress message of SYSCONFFILE to make it more consistent among the installers. In shorewall-init/install.sh the else clause between the line 586 and 597 will only work for a sysvinit script. Should I make it also work for a systemd service script or can't we simply remove that else clause? In the compiled firewall script the comments before and after the functions imported from lib.common have two slashes in the path: $ grep -H lib.common firewall firewall:# Functions imported from /usr/share/shorewall//lib.common firewall:# End of imports from /usr/share/shorewall//lib.common -Matt -------------- Enclosure number 1 ---------------- >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Tue, 24 May 2016 13:10:28 +0200 Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 03ecb2a..fcb02ee 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -776,7 +776,7 @@ mutex_on() error_message "WARNING: Stale lockfile ${lockf} removed" elif [ $lockpid -eq $$ ]; then return 0 - elif ! qt ps p ${lockpid}; then + elif ! qt ps | grep -v grep | grep ${lockpid}; then rm -f ${lockf} error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" fi -- 2.6.2 >From 08e8796ff1abc3b24b8bbd40bf5e0a2b36464d61 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 25 May 2016 09:42:58 +0200 Subject: [PATCH 2/8] Create lockfile before using openwrt's lock utility Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index fcb02ee..42fe3cb 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -788,9 +788,9 @@ mutex_on() echo $$ > ${lockf} chmod u-w ${lockf} elif qt mywhich lock; then + echo $$ > ${lockf} lock -${MUTEX_TIMEOUT} -r1 ${lockf} chmod u+w ${lockf} - echo $$ > ${lockf} chmod u-w ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do -- 2.6.2 >From 2ded346cb557212389212fd5adcd4c6800edbb62 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 25 May 2016 11:43:31 +0200 Subject: [PATCH 3/8] Set proper permissions for the LOCKFILE on openwrt Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.common | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 42fe3cb..38a8c9a 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -789,9 +789,8 @@ mutex_on() chmod u-w ${lockf} elif qt mywhich lock; then echo $$ > ${lockf} + chmod u=r ${lockf} lock -${MUTEX_TIMEOUT} -r1 ${lockf} - chmod u+w ${lockf} - chmod u-w ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do sleep 1 -- 2.6.2 >From 227028c586ada5fe23bbb6e9b439dbb2be9f3b45 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 25 May 2016 13:00:30 +0200 Subject: [PATCH 4/8] Pass only LOCKFILE name to openwrt's lock utility Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 38a8c9a..712acad 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -790,7 +790,7 @@ mutex_on() elif qt mywhich lock; then echo $$ > ${lockf} chmod u=r ${lockf} - lock -${MUTEX_TIMEOUT} -r1 ${lockf} + lock ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do sleep 1 -- 2.6.2 >From ea0ce3318c673b86492d0e5730b2a834d352b170 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 25 May 2016 14:54:31 +0200 Subject: [PATCH 5/8] Unlock LOCKFILE to avoid stale pid on openwrt Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.common | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 712acad..3d0bacb 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -812,6 +812,7 @@ mutex_on() # mutex_off() { + [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock} rm -f ${LOCKFILE:=${VARDIR}/lock} } -- 2.6.2 >From 5b5309a158ed24180cae02a80b88fed1a3959bde Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 25 May 2016 15:34:21 +0200 Subject: [PATCH 6/8] Improve detection of shell function on openwrt Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-core/lib.cli | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index bc9318b..4778ada 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4560,6 +4560,11 @@ shorewall_cli() { # It's a shell function -- call it # $@ + elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then + # + # It's a shell function -- call it + # + $@ else # # It isn't a function visible to this script -- try -- 2.6.2 >From 1e5d878bff87107e4b108db01cfbcd8b606a1f93 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Sat, 28 May 2016 14:10:39 +0200 Subject: [PATCH 7/8] Shorewall: Uniformise SYSCONFFILE's progress msg Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/install.sh b/Shorewall/install.sh index bdd8271..581ae50 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR fi run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then -- 2.6.2 >From dcbeee838130845b7fd0dbabd56b9f283f27d109 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Sat, 28 May 2016 14:13:30 +0200 Subject: [PATCH 8/8] Lite: Uniformise SYSCONFFILE's progress msg Signed-off-by: Matt Darfeuille <[email protected]> --- Shorewall-lite/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 439d4a9..c8bffe1 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR fi install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640 - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ ${SHAREDIR} != /usr/share ]; then -- 2.6.2 ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
