I have a dual ISP shorewall[-lite] (4.0.5) installation. It happens most times on boot that one of the ISP interfaces will not be quite fully plumbed before shorewall-lite wants to restore the firewall.
So my network interfaces start to come up but before the PPPoE interface
is fully up, shorewall-lite starts it's "restore" (i.e. on boot) process
and inevitably I get an error:
ERROR: Can't determine the IP address of ppp0
and Shorewall is not started.
Now, if I only had the one ISP interface I wouldn't care so much because
Shorewall doesn't do me much good without an Internet connection anyway.
But that is not the case. It's a perfectly valid situation that one of
my connections is up and I would want Shorewall to start and function in
that case.
It would appear this error stems from a call to
find_first_interface_address() in define_firewall():
define_firewall() {
clear_routing_and_traffic_shaping
#
# Establish the values of shell variables used in the following function
calls
#
PPP0_ADDRESS=$(find_first_interface_address ppp0)
ETH0_1_ADDRESS=$(find_first_interface_address eth0.1)
I'm not sure if there is anything specific in my configuration which
is driving this need to determine the interface addresses although it
appears to be MultiISP related as setup_routing_and_traffic_shaping()
want to do:
gateway=$(detect_gateway ppp0)
if [ -n "$gateway" ]; then
run_ip route replace $PPP0_ADDRESS dev ppp0 table 2
run_ip route add default via $gateway dev ppp0 table 2
else
fatal_error "Unable to detect the gateway through interface
ppp0"
fi
What's interesting is that the block of code above, that wants to use
$PPP0_ADDRESS is guarded by an "interface_is_usable ppp0" test and if
it's not usable:
fatal_error "Interface ppp0 is not configured -- Provider IGS (2)
Cannot be Added"
I guess what I'm wondering is if there is a way to make this more robust
such that the absence of an interface just means not doing the
configuration bits for it rather than being fatal.
Presumably I would restart shorewall-lite any time a new interface was
plumbed to take into consideration the additional information.
What would be "the cat's ass" mind you, would be for shorewall to
produce little scriptlets that added and removed appropriate
configuration items when an individual interface appeared or disappeared
and those could be plugged into the "hotplug" infrastructure, making the
entire restart of shorewall unnecessary and overkill. But I think that
is a much more difficult (albeit interesting) task that what I'm
proposing/requesting above.
Thots?
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
