On 02/29/2016 04:11 AM, Nigel Quinn wrote: > Hi Tom, > > Just an update on the issue I've been experiencing. I tried with > conntrack and with the -p in the STARTOPTIONS, but I think the issue > isn't related to this as the dump was suggesting. I've attached a two > dumps, sorry if that too much info. The first dump was taken when chilli > and shorewall were working well together(no Sfilter messages), and the > second dump was taken when chilli and shorewall weren't working well > together (sfilter messages for both tcp/80 and udp53).
There were no attachments.
>
> The sequence I've identified is this, and its only when I have Providers
> configured in Shorewall:
> 1) Chilli and Shorewall working well together
> 2) Client connects to Chilli on tun10 and gets IP address of 192.168.200.10,
> and is able to browse the internet
> 3) I reboot the appliance
> 4) Shorewall service starts (two Providers(VSAT and FB) configured, tun10
> defined in interfaces/zones)
> 5) Chilli service starts
> 6) Clients connects to Chilli on tun10 and gets IP address of
> 192.168.200.10, and is not able to DNS resolve or browse the internet.
> 7) Shorewall starts reporting sFilter messages for udp/53 and http/80
>
> I can get this to work by either:
> a) # shorewall restart
> b) # shorewall safe-restart (and click either Y or N, as both work)
> c) Change the service start order in Centos, so Chilli starts before
> Shorewall
>
> So, the issue is caused when Chilli is started after Shorewall. The
> tun10 interface does not exist before Chilli starts, so from the dumps,
> it looks like Shorewall doesn't populate the tun10 subnet into the
> Providers routing tables.
>
> So, where to from here? I could force shorewall to restart everytime
> Chilli starts, but that's not desirable.
You don't have to restart Shorewall -- you just need to:
shorewall enable tun10
> Or I could leave the service
> start order as Chilli, then Shorewall. But if Chilli crashes, then I
> would need to restart the process and then restart Shorewall.
>
> I'm curious to know what part of the # shorewall safe-restart gets
> this to work, even if I select 'N' to not accept the new configuration,
> it still fixes the issue.
>
Routing cannot be configured for an interface that isn't up (or in your
case doesn't even exist). By restarting or restoring Shorewall with the
interface up, the policy routing for the interface is then configured
correctly. As mentioned above, you can just use the 'enable' command to
accomplish the same thing (assuming that you are running a version of
Shorewall that supports the 'enable' commmand -- 4.4.26 or later).
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
