On 9/14/2014 7:56 AM, Tom Eastep wrote: > On 9/13/2014 10:38 PM, PGNd wrote: >> I'm attempting to troubleshoot boot-time failures for shorewall-init.service >> start, and the interface of one of my provider's interfaces (my vpn). >> >> I'm currently stymied by the fact that *despite* the failures -- for which I >> can't yet find the reason -- once *fully* booted, the system heals itself >> and everything's running OK. >> >> I'll certainly take the 'up' state, but would prefer to fix the boot-time >> problem; I'd appreciate a fresh set of eyes ... >> >> On my edge router/firewall I've installed >> >> shorewll-init >> shorewall-lite >> shorewall6-lite >> openvpn >> >> I've configured two providers, prov1 (the 'net @ eth0) & prov2 (vpn @ tun1) >> >> *During* startup, journalctl shows that >> >> shorewall-init.service >> >> fails to start and 'tun1' is not usable. > > Shorewall-init must start before networking and, in your configuration, > it will stop shorewall-lite and shorewall6-lite. So the fact that your > system 'heals itself' is no mystery at all, given that both services are > started later after networking has been started. > > So you need to understand why 'stop' fails when openvpn isn't started.
I believe that I see the problem -- it was introduced in Shorewall 4.6.3. Please see if the attached patch allows Shorewall-init to start correctly. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm
b/Shorewall/Perl/Shorewall/Compiler.pm
index a0ce208..5330e45 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -308,13 +308,14 @@ sub generate_script_2() {
set_global_variables(1);
- handle_optional_interfaces(0);
-
if ( $global_variables & NOT_RESTORE ) {
+ handle_optional_interfaces(0);
emit ';;';
pop_indent;
pop_indent;
emit ( 'esac' );
+ } else {
+ handle_optional_interfaces(1);
}
} else {
emit( 'true' ) unless handle_optional_interfaces(1);
diff --git a/Shorewall/Perl/Shorewall/Providers.pm
b/Shorewall/Perl/Shorewall/Providers.pm
index 5804849..0b744a7 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1896,6 +1896,7 @@ sub handle_optional_interfaces( $ ) {
my $require = $config{REQUIRE_INTERFACE};
verify_required_interfaces( shift );
+ emit '';
emit( 'HAVE_INTERFACE=', '' ) if $require;
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
