Charles wrote, re the problem of Seawall's ipchains getting
overwritten in dhclient exit hooks,
> > 2. Is there a better fix for this problem? (This fix works, my
> > humble web site has been visible continuously since I edited
> > dhclient-exit- hooks.) Unfortuantely my fix entangles seawall.lrp
> > and dhclient.lrp.
>
> The dhclient enter and exit hooks scripts are the cleanest location
> for this sort of code, AFAIK.
Thank you Charles. I will consult with Tom Eastep and revise the
Seawall with LRP Howto after we agree on the best solution. It does
appear that a Dachstein/Seawall user using dhclient does need to make
a small edit ot two in dhclienmt exit hooks.
Which brings us to the other problem. How often is the code in the
dhclient exit hook supposed to execute? I thought it was only
supposed
to execute when the IP changed.The code in reload_all executes on my
Dachstein system (which I have now upgraded to the 1.02 release)
every
time the lease is renewed even though the IP does not change.
Is the code intentionally conservative (e.g. intentionally reloading
the network fairly often)? If not, I should think the reload_all
should not execute if the IP has not changed.
For convenience, I have copied the exit hooks routine below. This
time
I have used Dachstein 1.02 as my starting point.
Look where I added my dynodns hook. There are some conditions
combined
with "or". Looks to me like an "and" is needed, but I am not sure
what
is intended. The comment
# If our IP address changed, or we just got a new address,
# restart the IP filters, using the new address
does not seem to match what the logic does.
Shouldn't the inside if statement be have [ x$reason = xBOUND ] ||
removed, so it looks like this:
# If our IP address changed, or we just got a new address,
# restart the IP filters, using the new address
if [ x$old_ip_address = x ] || [ x$old_ip_address !=
x$new_ip_address ] || \
[ x$reason = xREBOOT ]; then
Then the if reads "if the old IP is zero OR the new IP differs from
the old OR we just did a reboot". With the old logic, it is
sufficient
to run reload_all() to have [ x$reason = xBOUND ] be true.
Another minor point. I moved seawall restart into reload_all. This
works, but does cause seawall restart to be executed (harmlessly)
before it should be. I should probably move it back to just after
reload_all in the same if-clause as my dynodns code.
Tim
Copy of dhclient exit hooks based on Dachstein 1.02 follows
#!/bin/sh
# dhclient-exit-hooks script for LRP
# Charles Steinkuehler, January 2000
# Updated June 27, 2000 to restart dnscache, if present
# Notes:
# 0. This script restarts the following when a new address is aquired
# a: Firewall filter rules
reload_all() {
svi network ipfilter reload
seawall restart
}
if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \
[ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then
# If our IP address changed, or we just got a new address,
# restart the IP filters, using the new address
if [ x$old_ip_address = x ] || [ x$old_ip_address !=
x$new_ip_address ] || \
[ x$reason = xBOUND ] || [ x$reason = xREBOOT ]; then
# tell dynodns that the IP has changed
date >> /var/log/dynodns.txt
http_get -a twegner.dynodns.net:xxxx \
http://www.dynodns.net/pr/updatens.cgi | \
grep twegner >> /var/log/dynodns.txt
#end dynodns changes
# Reload networking to see new address
reload_all
#seawall restart was here - moved to inside reload_all
fi
fi
if [ x$reason = xEXPIRE ] || [ x$reason = xFAIL ]; then
# No dhcp lease - Shutdown packet forwarding
/etc/init.d/network ipfilter flush
fi
if [ x$reason = xTIMEOUT ]; then
if [ x$timeout_using_old_lease = xTRUE ]; then
# Succsfully using an old lease, even though we can't talk to the
# dhcp server, so reload network to configure with 'new' address
reload_all
else
# Couldn't find the dhcp server, and can't ping the last default
router # so let's just give up and stop forwarding packets
/etc/init.d/network ipfilter flush
fi
fi
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
