I compile SW configs locally, and push to remote shorewall-lite instances.
I've recently upgraded my build machine to
shorewall version
4.6.13
uname -r
4.3.0-3.g733f8ab-default
Two new issues have cropped up.
(1) When the remote's
shorewall version
4.6.13
uname -r
3.16.7-29-default
My usual compile/push step
shorewall -v reload -c -s 10.13.22.100
now fails, returning
...
Usage: shorewall [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ]
<command>
where <command> is one of:
add <interface>[:<host-list>] ... <zone>
allow <address> ...
[ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [
<directory> ]
clear
[ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [
<directory name> ] [ <path name> ]
close <source> <dest> [ <protocol> [ <port> ] ]
...
reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory>
] <system>
...
From man page,
...
reload [-s] [-c] [-r root-user-name] [-T] [-i] [ directory ] system
If directory is omitted, the current working directory is assumed.
Allows a
non-root user to compile a shorewall script and install it on a
system
(provided that the user has root access to the system via ssh). The
command is
equivalent to:
/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf
root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite restart'
In other words, the configuration in the specified (or defaulted)
directory is
compiled to a file called firewall in that directory. If compilation
succeeds,
then firewall is copied to system using scp. If the copy succeeds,
Shorewall
Lite on system is restarted via ssh.
...
Executing the 'equivalent to' cmd,
shorewall compile -e . ./firewall
scp ./firewall ./firewall.conf
root@10.13.22.100:/var/lib/shorewall-lite/
ssh root@10.13.22.100 '/usr/sbin/shorewall-lite restart'
completes OK
...
Processing started user exit ...
done.
and the remote is correctly populated/restarted & functions OK.
(2) When the remote's also @ newer kernel
shorewall version
4.6.13
uname -r
4.3.0-3.g733f8ab-default
executing my usual "./firewall" on the remote fails at adding my primary
provider in my usual MultiISP config
...
Adding Providers...
RTNETLINK answers: Invalid argument
ERROR: Command "/sbin/ip -4 route add table ISP2 XX.XX.XX.0/22 dev
eth0 proto kernel scope link src XX.XX.XX.215" Failed
...
shorewall version
4.6.13
uname -r
Dropping back to old kernel, 3.16.x, fixes the problem
Known issues?
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
