On 11/18/2015 9:37 AM, PGNet Dev wrote:
> I compile SW configs locally, and push to remote shorewall-lite instances.
>
> I've recently upgraded my build machine to
>
> shorewall version
> 4.6.13
> uname -r
> 4.3.0-3.g733f8ab-default
>
> Two new issues have cropped up.
>
> (1) When the remote's
>
> shorewall version
> 4.6.13
> uname -r
> 3.16.7-29-default
>
> My usual compile/push step
>
> shorewall -v reload -c -s 10.13.22.100
>
> now fails, returning
>
> ...
> Usage: shorewall [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ]
> <command>
> where <command> is one of:
>
> (2) When the remote's also @ newer kernel
>
> shorewall version
> 4.6.13
> uname -r
> 4.3.0-3.g733f8ab-default
>
> executing my usual "./firewall" on the remote fails at adding my primary
> provider in my usual MultiISP config
>
> ...
> Adding Providers...
> RTNETLINK answers: Invalid argument
> ERROR: Command "/sbin/ip -4 route add table ISP2 XX.XX.XX.0/22 dev
> eth0 proto kernel scope link src XX.XX.XX.215" Failed
> ...
>
> shorewall version
> 4.6.13
> uname -r
>
> Dropping back to old kernel, 3.16.x, fixes the problem
>
> Known issues?
>
No -- and I can reproduce neither problem on an updated Fedora 23 system
running Shorewall 4.6.13.2.
[root@fedora shorewall]# shorewall version -a
shorewall-core: 4.6.13.2
shorewall: 4.6.13.2
shorewall-lite: 4.6.13.2
/var/lib/shorewall/firewall was compiled by Shorewall version 4.6.13.2
[root@fedora shorewall]# uname -r
4.2.6-300.fc23.x86_64
[root@fedora shorewall]#
[root@fedora shorewall]# shorewall -v reload -c -s 127.0.0.1
WARNING: ./shorewallrc does not exist; using settings from
/usr/share/shorewall
Getting Capabilities on system 127.0.0.1...
root@127.0.0.1's password:
root@127.0.0.1's password:
Compiling using Shorewall 4.6.13.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Compiling /etc/shorewall/zones...
...
Copying /etc/shorewall/firewall and /etc/shorewall/firewall.conf to
127.0.0.1:/var/lib/shorewall-lite...
root@127.0.0.1's password:
firewall 100% 75KB 74.5KB/s
00:00
firewall.conf 100% 807 0.8KB/s
00:00
Copy complete
root@127.0.0.1's password:
Restarting Shorewall Lite....
Initializing...
Processing init user exit ...
Processing tcclear user exit ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Disabling Kernel Automatic Helper Association
Preparing iptables-restore input...
Running /sbin/iptables-restore ...
IPv4 Forwarding Disabled!
Processing start user exit ...
Processing started user exit ...
done.
System 127.0.0.1 reloaded
root@127.0.0.1's password:
Currently-running Configuration Saved to /var/lib/shorewall-lite/restore
Configuration on system 127.0.0.1 saved
[root@fedora shorewall]#
[root@fedora shorewall]# ip -4 route add table 22 172.20.1.0/24 dev \
enp0s3 proto kernel scope link src 172.20.1.219
[root@fedora shorewall]#
I used a numeric routing table identifier so that I didn't have to
modify my /etc/iproute2/rt_tables file. Note that a different error
message is produced if a non-existent name is used:
[root@fedora shorewall]# ip -4 route add table ISP2 172.20.1.0/24 dev
enp0s3 proto kernel scope link src 172.20.1.219
Error: argument "ISP2" is wrong: "table" value is invalid
[root@fedora shorewall]#
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
