On 08/10/2017 01:07 AM, Vieri Di Paola via Shorewall-users wrote: > I'm asking because I'm seeing two issues with the restart command when trying > to move from shorewall 5.0.14.1 to a more recent version (eg. 5.1.5.1). > > According to > http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.14/releasenotes.txt, > the "restart" option should behave the same way. So, if RESTART=restart then > a "true" restart is done (stop&start). It won't be a "reload". >
No. If you take an existing 5.0 configuration and do a 'shorewall update' on 5.1, THEN 'restart' will work the same as it did before the upgrade. If you build a new configuration of 5.1 and leave RESTART=restart, then 'restart' will behave differently than on 5.0. So if you want 'restart' to behave as it did in 5.0, then you must have RESTART=reload in shorewall.conf. > On both of my old and new shorewall systems, RESTART=restart. > ADMINISABSENTMINDED is also set to Yes. > > First issue: > > Here's what I see when I ping to a host in CAIB zone at 10.215.9.172 from a > host in LAN zone while running "shorewall restart". > > [...] > 64 bytes from 10.215.9.172: icmp_seq=4 ttl=59 time=4.06 ms > 64 bytes from 10.215.9.172: icmp_seq=5 ttl=59 time=2.77 ms > 64 bytes from 10.215.9.172: icmp_seq=6 ttl=59 time=2.30 ms > From 172.16.0.2 icmp_seq=7 Time to live exceeded > 64 bytes from 10.215.9.172: icmp_seq=8 ttl=59 time=2.97 ms > 64 bytes from 10.215.9.172: icmp_seq=9 ttl=59 time=4.23 ms > 64 bytes from 10.215.9.172: icmp_seq=10 ttl=59 time=2.98 ms > > This is the content of stoppedrules: > > ACCEPT $IF_LAN $IF_IBS > ACCEPT $IF_LAN $IF_CAIB > > The IP addr. 172.16.0.2 is on a gateway out the WAN interface. > > The providers file contains: > WAN 1 1 - $IF_WAN $ADDR_GW_WAN track,primary > CAIB 2 2 - $IF_CAIB $ADDR_GW_CAIB > track,fallback=1 > IBS 3 3 - $IF_IBS $ADDR_GW_IBS > track,fallback=1 > > The rtrules file contains: > - 10.215.0.0/17 CAIB 11692 > > So I guess that if I wanted to allow all traffic from lan to caib and to ibs > then I would also have to modify the routing table. > I think I should do this in the "stopped" file with something like this: > > route add 10.215.0.0/17 gw $ADDR_GW_CAIB > > I haven't tried it though. Does it make sense? No. > > Also, would I need to remove the route entries listed in "stopped" when > shorewall starts again? Would I need to add something like this in the > "started" or "start" files? Which file BTW? (I would need to do that before > Shorewall starts handling routes) > > route del 10.215.0.0/17 > > Alternatively, if I could do without running the code in "stopped" and > "started" then I could issue a "shorewall reload". > However, I've seen the "From 172.16.0.2 icmp_seq=38 Time to live exceeded" > message even when issuing a "reload". > So it seems that in this particular case (maybe due to the providers&rtrules > settings) a reload and a restart behave alike (only tested with 5.0.14.1 as > 5.1.5.1 is not in production yet). > In both 'restart' and 'reload', the provider routing tables and rules are purged then reloaded. But they were purged and reloaded on 5.0 as well. > The second issue regards performance on a restart or a reload. > > Both of my systems (5.0 / 5.1) have the same ruleset of about 7000 lines. > Shorewall 5.0 is running on a "weak" server whereas 5.1 is on much more > powerful hardware. > > With 5.0: > > # time /etc/init.d/shorewall restart > [...] > real 0m14.793s > user 0m8.780s > sys 0m1.480s > > With 5.1: > > # time /etc/init.d/shorewall restart > [...] > real 0m45.981s > user 0m42.410s > sys 0m2.310s > > The difference between the two is staggering. > It's probably due to the OPTIMIZE option in shorewall.conf, right? Yes. > > In shorewall 5.0.14.1 the default value for OPTIMIZE is 0. > In 5.1.5.1 the default value is All despite the man page saying that "The > default value is zero which disables all optimizations" (that was true for > older versions). > > So I guess I have to set OPTIMIZE=0 or None in 5.1 in order to get similar or > better timings. Yes. > > BTW, I'm wondering if the OPTIMIZE option could somehow explain the other > issue I'm having in the ML thread "traffic issues through firewall router". > I'll do a test asap. > I doubt it. -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users