Hi KP
Am 03.01.2017 um 20:19 schrieb kp kirchdoerfer:
> Hi;
>
> Am Dienstag, 3. Januar 2017, 21:05:21 schrieb Martin Hejl:
>> Hi Erich
>>
>> Am 03.01.2017 um 19:59 schrieb Erich Titl:
>>> Am 03.01.2017 um 16:04 schrieb Martin Hejl:
>>>> Hi all,
>>>>
>>>> the shorewall init script for 6.0.1 in /etc/init.d/shorewall currently
>>>> reads (relevant part only):
>>>>
>>>> =========================================================
>>>>
>>>> start() {
>>>>
>>>> echo "Starting IPv4 shorewall rules..."
>>>> wait_for_pppd
>>>> [ -x /usr/sbin/mount_modules ] && /usr/sbin/mount_modules
>>>> /sbin/shorewall $OPTIONS start $STARTOPTIONS
>>>> [ -x /usr/sbin/umount_modules ] && /usr/sbin/umount_modules
>>>>
>>>> }
>>>>
>>>> stop() {
>>>>
>>>> echo "Stopping IPv4 shorewall rules..."
>>>> /sbin/shorewall stop
>>>>
>>>> }
>>>>
>>>> refresh() {
>>>>
>>>> echo "Refreshing IPv4 shorewall rules..."
>>>> /sbin/shorewall refresh $REFRESHOPTIONS
>>>>
>>>> }
>>>>
>>>>
>>>> reload() {
>>>>
>>>> echo "Reloading IPv4 shorewall rules..."
>>>> /sbin/shorewall reload $RELOADOPTIONS
>>>>
>>>> }
>>>>
>>>> restart() {
>>>>
>>>> echo "Restarting IPv4 shorewall rules..."
>>>> /sbin/shorewall restart $RESTARTOPTIONS
>>>>
>>>> }
>>>>
>>>> =========================================================
>>>>
>>>> Shouldn't mount_modules and umount_modules also be called for
>>>> "restart()" (possibly also for "refresh()" and "reload()") ?
>>>
>>> You are possibly right.
>>>
>>>> I've been trying to figure out why I couldn't get DNAT to work
>>>> (shorewall always terminated with an error during "svi shorewall
>>>> restart" after me updating /etc/shorewall/rules).
>>>>
>>>> By doing
>>>>
>>>> svi shorewall stop
>>>> svi shorewall start
>>>
>>> So you changed the shorewall config and then used a re* call option to
>>> bring the changes up. Well I never attempted this. I guess it would not
>>> be too hard to mount/umount the modules filesystem for all re* calls.
>>
>> Is that an unusual approach? I guess I always assumed that
>> $ svi serviceName restart
>>
>> would be equivalent to
>> $ svi serviceName stop ; svi serviceName start
>>
>>> You could actually add this to your router and please provide a patch
>>> to KP :-)
>>
>> I will :-) - I just wanted to make sure my understanding is correct, and
>> that I didn't miss anything. It's been a while since I played with
>> Bering uClibc, and things have moved on a bit since then.
>
> Patching shorewall init is something that needs to be done, but I doubt it
> will solve the issue of missing modules and will be more or less cosmetic.
>
> We've had the issue with ipv6 module recently, and it occured it needs to be
> added to /etc/modules to get it as painless as possible for users.
I believe IPv6 is more generic than to expect shorewall to add it. If
you would be running a simple ipv6 router without firewalling you would
have to do that anyway.
cheers
Erich
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel
