On 10/7/2020 4:48 PM, Matt Darfeuille wrote:
> On 10/7/2020 4:27 PM, Simon Matter wrote:
>>>> On 10/6/20 8:50 AM, Matt Darfeuille wrote:
>>>>> On 10/6/2020 5:11 PM, Tom Eastep wrote:
>>>>>> On 10/6/20 7:33 AM, Simon Matter wrote:
>>>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote:
>>>>>>>>>>> Compilation will only happen when '/etc/shorewall' is modified.
>>>>>>>>>>> So if I'm not mistaking, updating the firewall will not trigger a
>>>>>>>>>>> recompilation.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Recompilation should occur if ANY file in ANY directory in
>>>>>>>>> $CONFIG_PATH
>>>>>>>>>> changes. Given that installing a new version updates
>>>>>>>>>> /usr/share/shorewall/, 'reload' after an update should force
>>>>>>>>>> re-compilation.
>>>>>>>>>>
>>>>>>>>>> I reproduced this problem using the tarball installers.
>>>>>>>>>>
>>>>>>>>>> Simon -- How did you upgrade?
>>>>>>>>>
>>>>>>>>> Dear Tom and all,
>>>>>>>>>
>>>>>>>>> For a test I've downgraded to shorewall-5.2.6.1 and saw the same
>>>>>>>>> behavior.
>>>>>>>>
>>>>>>>> Tom is asking *how* you upgraded/downgraded.
>>>>>>>
>>>>>>> As I said with my own RPMs, they are mentioned on
>>>>>>> https://shorewall.org/download.htm
>>>>>>>
>>>>>>
>>>>>> After 'reload' didn't recompile, I found that the mtime of
>>>>>> /var/lib/shorewall/firewall had been mysteriously updated to a time
>>>>>> after the upgrade. Have others noticed the same behavior?
>>>>>>
>>>>>
>>>>> I just installed SW 5.2.8 (core, shorewall, init) followed by
>>>>> 'shorewall
>>>>> update' and 'shorewall reload'.
>>>>> The below is after multiple 'shorewall update followed by reload'.
>>>>>
>>>>> /var/lib/shorewall# ls -l firewall && shorewall reload && ls -l
>>>>> firewall
>>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall
>>>>> Reloading Shorewall....
>>>>> Initializing...
>>>>> Processing /etc/shorewall/init ...
>>>>> [snip]
>>>>> Setting up Route Filtering...
>>>>> Setting up Martian Logging...
>>>>> Preparing iptables-restore input...
>>>>> Running /sbin/iptables-restore --wait 60...
>>>>> IPv4 Forwarding Enabled
>>>>> done.
>>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall
>>>>>
>>>>>
>>>>> Do you want other test?
>>>>>
>>>>
>>>> What was the current time? Or, what was the output of 'ls -l
>>>> /usr/share/shorewall/?
>>>
>>> OK, found it in my case, it's coming from here:
>>>
>>> elif [ -z "$AUTOMAKE" ]; then
>>> if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)"
>>> ]; then
>>> return 1;
>>> fi
>>>
>>> I had 5.2.7 installed and made some configuration changes, say in October.
>>> Then I upgraded to 5.2.8 with the RPM, which was built in September.
>>>
>>> So, the content in /usr/share/shorewall/ has mtimes in September, but my
>>> /var/lib/shorewall/firewall was created in October.
>>>
>>> Result: the 'find' above doesn't show anything newer than my
>>> /var/lib/shorewall/firewall and nothing is recompiled on reload.
>>>
>>> This affects my own RPMs but I guess the same is true for others too.
>>>
>>> I'm thinking about what the best fix is here. Maybe simply add a %post
>>> install script which does:
>>>
>>> mv -f /var/lib/shorewall[6]/firewall /var/lib/shorewall[6]/firewall.old
>>>
>>> Maybe we can discuss this here so all packages can use the same approach.
>>
>> I've added the following to the %post sections:
>>
>> if [[ -f %{_var}/lib/%{name}/firewall ]]; then
>> %{__mv} -f %{_var}/lib/%{name}/firewall
>> %{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || :
>> fi
>>
>> and
>>
>> if [[ -f %{_var}/lib/%{name}6/firewall ]]; then
>> %{__mv} -f %{_var}/lib/%{name}6/firewall
>> %{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || :
>> fi
>>
>> It works well now and always recompiles after an upgrade.
>>
>> It also adds some additional security because one can easily diff the
>> resulting configuration after an upgrade.
>>
>
> I'll commit that, and send it through this list for review.
>
Attached is release-master-1-20.10.07.17.04.57-rfc.patch, which applies
Simon's suggestion.
Any feedback an testing is appriciated.
--
Matt Darfeuille <m...@shorewall.org>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org
From eb2ca7995543dd7734e342ef64a3153ba7bb3a9a Mon Sep 17 00:00:00 2001
From: Matt Darfeuille <m...@shorewall.org>
Date: Wed, 7 Oct 2020 17:04:31 +0200
Subject: [RFC PATCH] Ensure compilation when updating RPMs
Signed-off-by: Matt Darfeuille <m...@shorewall.org>
---
shorewall.spec | 4 ++++
shorewall6.spec | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/shorewall.spec b/shorewall.spec
index ad69165..990033e 100644
--- a/shorewall.spec
+++ b/shorewall.spec
@@ -44,6 +44,10 @@ rm -rf %{buildroot}
%post
+if [ -f %{_var}/lib/%{name}/firewall ]; then
+ %{__mv} -f %{_var}/lib/%{name}/firewall
%{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || :
+fi
+
if [ $1 -eq 1 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl enable shorewall
diff --git a/shorewall6.spec b/shorewall6.spec
index 37c1025..77a229a 100644
--- a/shorewall6.spec
+++ b/shorewall6.spec
@@ -47,6 +47,10 @@ rm -rf $RPM_BUILD_ROOT
%post
+if [ -f %{_var}/lib/%{name}6/firewall ]; then
+ %{__mv} -f %{_var}/lib/%{name}6/firewall
%{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || :
+fi
+
if [ $1 -eq 1 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl enable shorewall6
--
2.11.0
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
