Brian J. Murrell wrote: > > So if the module is not already loaded (in $MODULES), then for any of of > the module extensions in $MODULE_SUFFIX, try to find and load a module. > > However I cannot see how $MODULE_SUFFIX gets initialized in shorecap's > call stack. It appears that do_initialize() is supposed to do that, but > do_initialize() does not appear to get called in the codepath that > shorecap runs. In fact I can't find anywhere in the entire > shorewall-lite package that calls it. > > Since $MODULE_SUFFIX doesn't get initialized to anything, loadmodule() > is for all intents and purposes a NOOP. > > What am I missing?
Nothing -- it's clearly a bug. Attached please find: patch-3.2.9-9.diff -- patch to Shorewall patch-3.2.9-10.diff -- patch to Shorewall-lite Note that these are against 3.2.9 -- the Shorewall patch doesn't apply cleanly to 3.2.6 but the Shorewall-lite patch does. Please give it a try. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: shorewall
===================================================================
--- shorewall (revision 5833)
+++ shorewall (working copy)
@@ -1489,12 +1489,14 @@
if [ -f $directory/shorewall.conf ]; then
MODULESDIR=$(grep '^\s*MODULESDIR=' $directory/shorewall.conf | tail -n 1)
MODULESDIR=${MODULESDIR#*=}
+ IPTABLES=$(grep '^\s*MODULE_SUFFIX=' $directory/shorewall.conf | tail -n 1)
+ IPTABLES=${MODULE_SUFFIX#*=}
IPTABLES=$(grep '^\s*IPTABLES=' $directory/shorewall.conf | tail -n 1)
IPTABLES=${IPTABLES#*=}
fi
progress_message "Getting Capabilities on system $system..."
- if ! ssh [EMAIL PROTECTED] "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap > ${LITEDIR}/capabilities" || \
+ if ! ssh [EMAIL PROTECTED] "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap > ${LITEDIR}/capabilities" || \
! scp [EMAIL PROTECTED]:${LITEDIR}/capabilities $directory; then
fatal_error "ERROR: Capturing capabilities on system $system failed"
fi
Index: functions
===================================================================
--- functions (revision 5833)
+++ functions (working copy)
@@ -1660,6 +1660,8 @@
moduleloader=insmod
fi
+ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
MODULES=$(lsmod | cut -d ' ' -f1)
@@ -1688,6 +1690,8 @@
moduleloader=insmod
fi
+ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
Index: shorecap
===================================================================
--- shorecap (revision 5833)
+++ shorecap (working copy)
@@ -29,7 +29,7 @@
#
# On the target system (the system where the firewall program is to run):
#
-# [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+# [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
#
# Now move the capabilities file to the compilation system. The file must
# be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -39,6 +39,7 @@
#
# IPTABLES - iptables
# MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+# MODULE_SUFFIX - "o gz ko o.gz ko.gz"
#
# Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
# used during firewall compilation, then the generated firewall program will likewise not
Index: functions
===================================================================
--- functions (revision 5833)
+++ functions (working copy)
@@ -1660,6 +1660,8 @@
moduleloader=insmod
fi
+ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
MODULES=$(lsmod | cut -d ' ' -f1)
@@ -1688,6 +1690,8 @@
moduleloader=insmod
fi
+ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
