>> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>>> Compilation will only happen when '/etc/shorewall' is modified.
>>>>>>>>> So if I'm not mistaking, updating the firewall will not trigger a
>>>>>>>>> recompilation.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Recompilation should occur if ANY file in ANY directory in
>>>>>>> $CONFIG_PATH
>>>>>>>> changes. Given that installing a new version updates
>>>>>>>> /usr/share/shorewall/, 'reload' after an update should force
>>>>>>>> re-compilation.
>>>>>>>>
>>>>>>>> I reproduced this problem using the tarball installers.
>>>>>>>>
>>>>>>>> Simon -- How did you upgrade?
>>>>>>>
>>>>>>> Dear Tom and all,
>>>>>>>
>>>>>>> For a test I've downgraded to shorewall-5.2.6.1 and saw the same
>>>>>>> behavior.
>>>>>>
>>>>>> Tom is asking *how* you upgraded/downgraded.
>>>>>
>>>>> As I said with my own RPMs, they are mentioned on
>>>>> https://shorewall.org/download.htm
>>>>>
>>>>
>>>> After 'reload' didn't recompile, I found that the mtime of
>>>> /var/lib/shorewall/firewall had been mysteriously updated to a time
>>>> after the upgrade. Have others noticed the same behavior?
>>>>
>>>
>>> I just installed SW 5.2.8 (core, shorewall, init) followed by
>>> 'shorewall
>>> update' and 'shorewall reload'.
>>> The below is after multiple 'shorewall update followed by reload'.
>>>
>>> /var/lib/shorewall# ls -l firewall && shorewall reload && ls -l
>>> firewall
>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall
>>> Reloading Shorewall....
>>> Initializing...
>>> Processing /etc/shorewall/init ...
>>> [snip]
>>> Setting up Route Filtering...
>>> Setting up Martian Logging...
>>> Preparing iptables-restore input...
>>> Running /sbin/iptables-restore --wait 60...
>>> IPv4 Forwarding Enabled
>>> done.
>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall
>>>
>>>
>>> Do you want other test?
>>>
>>
>> What was the current time? Or, what was the output of 'ls -l
>> /usr/share/shorewall/?
>
> OK, found it in my case, it's coming from here:
>
> elif [ -z "$AUTOMAKE" ]; then
> if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)"
> ]; then
> return 1;
> fi
>
> I had 5.2.7 installed and made some configuration changes, say in October.
> Then I upgraded to 5.2.8 with the RPM, which was built in September.
>
> So, the content in /usr/share/shorewall/ has mtimes in September, but my
> /var/lib/shorewall/firewall was created in October.
>
> Result: the 'find' above doesn't show anything newer than my
> /var/lib/shorewall/firewall and nothing is recompiled on reload.
>
> This affects my own RPMs but I guess the same is true for others too.
>
> I'm thinking about what the best fix is here. Maybe simply add a %post
> install script which does:
>
> mv -f /var/lib/shorewall[6]/firewall /var/lib/shorewall[6]/firewall.old
>
> Maybe we can discuss this here so all packages can use the same approach.
I've added the following to the %post sections:
if [[ -f %{_var}/lib/%{name}/firewall ]]; then
%{__mv} -f %{_var}/lib/%{name}/firewall
%{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || :
fi
and
if [[ -f %{_var}/lib/%{name}6/firewall ]]; then
%{__mv} -f %{_var}/lib/%{name}6/firewall
%{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || :
fi
It works well now and always recompiles after an upgrade.
It also adds some additional security because one can easily diff the
resulting configuration after an upgrade.
Regards,
Simon
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
