On 10/7/2020 4:48 PM, Matt Darfeuille wrote: > On 10/7/2020 4:27 PM, Simon Matter wrote: >>>> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >>>>> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>>>>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>>>>> Compilation will only happen when '/etc/shorewall' is modified. >>>>>>>>>>> So if I'm not mistaking, updating the firewall will not trigger a >>>>>>>>>>> recompilation. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Recompilation should occur if ANY file in ANY directory in >>>>>>>>> $CONFIG_PATH >>>>>>>>>> changes. Given that installing a new version updates >>>>>>>>>> /usr/share/shorewall/, 'reload' after an update should force >>>>>>>>>> re-compilation. >>>>>>>>>> >>>>>>>>>> I reproduced this problem using the tarball installers. >>>>>>>>>> >>>>>>>>>> Simon -- How did you upgrade? >>>>>>>>> >>>>>>>>> Dear Tom and all, >>>>>>>>> >>>>>>>>> For a test I've downgraded to shorewall-5.2.6.1 and saw the same >>>>>>>>> behavior. >>>>>>>> >>>>>>>> Tom is asking *how* you upgraded/downgraded. >>>>>>> >>>>>>> As I said with my own RPMs, they are mentioned on >>>>>>> https://shorewall.org/download.htm >>>>>>> >>>>>> >>>>>> After 'reload' didn't recompile, I found that the mtime of >>>>>> /var/lib/shorewall/firewall had been mysteriously updated to a time >>>>>> after the upgrade. Have others noticed the same behavior? >>>>>> >>>>> >>>>> I just installed SW 5.2.8 (core, shorewall, init) followed by >>>>> 'shorewall >>>>> update' and 'shorewall reload'. >>>>> The below is after multiple 'shorewall update followed by reload'. >>>>> >>>>> /var/lib/shorewall# ls -l firewall && shorewall reload && ls -l >>>>> firewall >>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>>> Reloading Shorewall.... >>>>> Initializing... >>>>> Processing /etc/shorewall/init ... >>>>> [snip] >>>>> Setting up Route Filtering... >>>>> Setting up Martian Logging... >>>>> Preparing iptables-restore input... >>>>> Running /sbin/iptables-restore --wait 60... >>>>> IPv4 Forwarding Enabled >>>>> done. >>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>>> >>>>> >>>>> Do you want other test? >>>>> >>>> >>>> What was the current time? Or, what was the output of 'ls -l >>>> /usr/share/shorewall/? >>> >>> OK, found it in my case, it's coming from here: >>> >>> elif [ -z "$AUTOMAKE" ]; then >>> if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" >>> ]; then >>> return 1; >>> fi >>> >>> I had 5.2.7 installed and made some configuration changes, say in October. >>> Then I upgraded to 5.2.8 with the RPM, which was built in September. >>> >>> So, the content in /usr/share/shorewall/ has mtimes in September, but my >>> /var/lib/shorewall/firewall was created in October. >>> >>> Result: the 'find' above doesn't show anything newer than my >>> /var/lib/shorewall/firewall and nothing is recompiled on reload. >>> >>> This affects my own RPMs but I guess the same is true for others too. >>> >>> I'm thinking about what the best fix is here. Maybe simply add a %post >>> install script which does: >>> >>> mv -f /var/lib/shorewall[6]/firewall /var/lib/shorewall[6]/firewall.old >>> >>> Maybe we can discuss this here so all packages can use the same approach. >> >> I've added the following to the %post sections: >> >> if [[ -f %{_var}/lib/%{name}/firewall ]]; then >> %{__mv} -f %{_var}/lib/%{name}/firewall >> %{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || : >> fi >> >> and >> >> if [[ -f %{_var}/lib/%{name}6/firewall ]]; then >> %{__mv} -f %{_var}/lib/%{name}6/firewall >> %{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || : >> fi >> >> It works well now and always recompiles after an upgrade. >> >> It also adds some additional security because one can easily diff the >> resulting configuration after an upgrade. >> > > I'll commit that, and send it through this list for review. >
Attached is release-master-1-20.10.07.17.04.57-rfc.patch, which applies Simon's suggestion. Any feedback an testing is appriciated. -- Matt Darfeuille <[email protected]> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org
From eb2ca7995543dd7734e342ef64a3153ba7bb3a9a Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <[email protected]> Date: Wed, 7 Oct 2020 17:04:31 +0200 Subject: [RFC PATCH] Ensure compilation when updating RPMs Signed-off-by: Matt Darfeuille <[email protected]> --- shorewall.spec | 4 ++++ shorewall6.spec | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/shorewall.spec b/shorewall.spec index ad69165..990033e 100644 --- a/shorewall.spec +++ b/shorewall.spec @@ -44,6 +44,10 @@ rm -rf %{buildroot} %post +if [ -f %{_var}/lib/%{name}/firewall ]; then + %{__mv} -f %{_var}/lib/%{name}/firewall %{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || : +fi + if [ $1 -eq 1 ]; then if [ -x %{_sbindir}/systemctl ]; then %{_sbindir}/systemctl enable shorewall diff --git a/shorewall6.spec b/shorewall6.spec index 37c1025..77a229a 100644 --- a/shorewall6.spec +++ b/shorewall6.spec @@ -47,6 +47,10 @@ rm -rf $RPM_BUILD_ROOT %post +if [ -f %{_var}/lib/%{name}6/firewall ]; then + %{__mv} -f %{_var}/lib/%{name}6/firewall %{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || : +fi + if [ $1 -eq 1 ]; then if [ -x %{_sbindir}/systemctl ]; then %{_sbindir}/systemctl enable shorewall6 -- 2.11.0
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
