On 10/7/2020 4:27 PM, Simon Matter wrote: >>> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >>>> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>>>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>>>> Compilation will only happen when '/etc/shorewall' is modified. >>>>>>>>>> So if I'm not mistaking, updating the firewall will not trigger a >>>>>>>>>> recompilation. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Recompilation should occur if ANY file in ANY directory in >>>>>>>> $CONFIG_PATH >>>>>>>>> changes. Given that installing a new version updates >>>>>>>>> /usr/share/shorewall/, 'reload' after an update should force >>>>>>>>> re-compilation. >>>>>>>>> >>>>>>>>> I reproduced this problem using the tarball installers. >>>>>>>>> >>>>>>>>> Simon -- How did you upgrade? >>>>>>>> >>>>>>>> Dear Tom and all, >>>>>>>> >>>>>>>> For a test I've downgraded to shorewall-5.2.6.1 and saw the same >>>>>>>> behavior. >>>>>>> >>>>>>> Tom is asking *how* you upgraded/downgraded. >>>>>> >>>>>> As I said with my own RPMs, they are mentioned on >>>>>> https://shorewall.org/download.htm >>>>>> >>>>> >>>>> After 'reload' didn't recompile, I found that the mtime of >>>>> /var/lib/shorewall/firewall had been mysteriously updated to a time >>>>> after the upgrade. Have others noticed the same behavior? >>>>> >>>> >>>> I just installed SW 5.2.8 (core, shorewall, init) followed by >>>> 'shorewall >>>> update' and 'shorewall reload'. >>>> The below is after multiple 'shorewall update followed by reload'. >>>> >>>> /var/lib/shorewall# ls -l firewall && shorewall reload && ls -l >>>> firewall >>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>> Reloading Shorewall.... >>>> Initializing... >>>> Processing /etc/shorewall/init ... >>>> [snip] >>>> Setting up Route Filtering... >>>> Setting up Martian Logging... >>>> Preparing iptables-restore input... >>>> Running /sbin/iptables-restore --wait 60... >>>> IPv4 Forwarding Enabled >>>> done. >>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>> >>>> >>>> Do you want other test? >>>> >>> >>> What was the current time? Or, what was the output of 'ls -l >>> /usr/share/shorewall/? >> >> OK, found it in my case, it's coming from here: >> >> elif [ -z "$AUTOMAKE" ]; then >> if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" >> ]; then >> return 1; >> fi >> >> I had 5.2.7 installed and made some configuration changes, say in October. >> Then I upgraded to 5.2.8 with the RPM, which was built in September. >> >> So, the content in /usr/share/shorewall/ has mtimes in September, but my >> /var/lib/shorewall/firewall was created in October. >> >> Result: the 'find' above doesn't show anything newer than my >> /var/lib/shorewall/firewall and nothing is recompiled on reload. >> >> This affects my own RPMs but I guess the same is true for others too. >> >> I'm thinking about what the best fix is here. Maybe simply add a %post >> install script which does: >> >> mv -f /var/lib/shorewall[6]/firewall /var/lib/shorewall[6]/firewall.old >> >> Maybe we can discuss this here so all packages can use the same approach. > > I've added the following to the %post sections: > > if [[ -f %{_var}/lib/%{name}/firewall ]]; then > %{__mv} -f %{_var}/lib/%{name}/firewall > %{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || : > fi > > and > > if [[ -f %{_var}/lib/%{name}6/firewall ]]; then > %{__mv} -f %{_var}/lib/%{name}6/firewall > %{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || : > fi > > It works well now and always recompiles after an upgrade. > > It also adds some additional security because one can easily diff the > resulting configuration after an upgrade. >
I'll commit that, and send it through this list for review. -- Matt Darfeuille <m...@shorewall.org> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
