W dniu 13.12.2014 o 17:25, Tom Eastep pisze: > On 11/26/2014 5:32 AM, Artur Uszyński wrote: >> Hello. >> >> Shorewall 4.6.4.1 >> kernel 3.10.0 >> In shorewall.conf I have "DONT_LOAD=nf_conntrack_sip,nf_nat_sip" >> In shorewall.conf I have "AUTOHELPERS=No", HELPERS is empty. >> SIP section in /etc/shorewall/conntrack is commented out (checked - no sip >> entries in raw table after shorewall start). >> "ports=0" is specified in /etc/shorewall/helpers for appropriate *sip lines >> (or alternatively all *sip lines commented out). >> There are not any rules specifying port 5060 in /etc/shorewall/rules. >> >> Despite doing the above steps, nf_conntrack_sip is being loaded during every >> restart of shorewall (although nf_nat_sip obeys my disposition and never >> gets loaded). >> >> Also, after doing "shorewall compile OUTPUT ." inside /etc/shorewall, >> nf_conntrack_sip module gets automatically loaded (yes, after dry copilation >> of rules), although resulting OUTPUT file does not contain anything which >> would load this module. >> >> nf_conntrack_sip is always at the top of lsmod output, no other modules use >> it. >> >> I ended up adding "rmmod nf_conntrack_sip" to /ec/shorewall/started. >> >> The same happens for shorewall6. >> >> Is there any way to properly skip loading of this module ? > > My apologies for the slow response - I've been traveling in New Zealand > for the last three weeks. > > You must also specify DONT_LOAD=nf_conntrack_sip in > /etc/shorewall6/shorewall6.conf and comment out the sip lines in > /etc/shorewall6/conntrack. If you do that, you should be able to restart > either shorewall or shorewall6 without the SIP helper being loaded. I > have verified that in my own configuration. There, I have > AUTOHELPERS=Yes in both .conf files. >
No problem, Tom. I hope You noticed my next message regarding this subject. I was able to do a workaround by putting specific helpers in HELPERS variable. I do believe, that it should work the way You describe, because it was the first case, where it didn't work for me. Maybe it is special case for this one particular installation. Similarily I have one (and only one) system, on which shorewall needs unusually long time for "loading modules" stage during each start/restart. For "shorewall check" and "shorewall compile" I can workaround this by creating /etc/capabilities, but id does not help for other operations. Regards. -- Artur ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
