On 05/04/2013 04:38 AM, Dash Four wrote: > I have spent about 4 hours on this one: I am trying to force shorewall > to *not* recompile my whole configuration every time it starts and no > matter what I try, it doesn't seem to work at all. > > I have AUTOMAKE=Yes, I also tried to set LEGACY_FASTSTART to either Yes > or No (none of that seems to have an effect), but shorewall insists on > compiling everything every time. > > Normally I wouldn't worry about that too much, but since I am now using > shorewall-init as well, every time my network device changes its state, > the firewall takes between 2 and 3 minutes to be reset, thanks to this > compilation/recompilation malarkey not working as it should. Is there a > fix for this? >
I use AUTOMAKE=Yes and it always works reliably:
root@gateway:~# shorewall restart
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall-common/tcclear ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Adding Providers...
Null Routing the RFC 1918 subnets
Setting up Traffic Control...
Preparing iptables-restore input...
Running /usr/local/sbin/iptables-restore...
Preparing arptables-restore input...
Running /sbin/arptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/started ...
done.
root@gateway:~# touch /etc/shorewall/shorewall.conf
root@gateway:~# shorewall restart
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Running /etc/shorewall/compile...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
...
Optimizing Ruleset...
Creating iptables-restore input...
Compiling /etc/shorewall/stoppedrules...
Shorewall configuration compiled to /var/lib/shorewall/.restart
The compiled script is /var/lib/shorewall/.restart
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall-common/tcclear ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Adding Providers...
Null Routing the RFC 1918 subnets
Setting up Traffic Control...
Preparing iptables-restore input...
Running /usr/local/sbin/iptables-restore...
Preparing arptables-restore input...
Running /sbin/arptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/started ...
done.
root@gateway:~#
If you 'sh -x ${SBINDIR}/shorewall restart' and look for the call to the
function 'uptodate', you can see which file on your CONFIG_PATH is
triggering the recompile.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
