On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote: > On 4/12/13 2:22 PM, "Louis Lagendijk" <lo...@fazant.net> wrote: > > > > >hello Tom, > >After playing with shorewall-init a bit more, I have some more issues: > > > >1) shorewall6: accept_ra does not get restored when the network is > >restarted. A shorewall restart fixes that. I would have expected > >ifup-local to perform the same settings as a shorewall restart does. Am > >I missing something? > >I hve traced the problem to interface_is_usable() in the firewall script: > >it uses find_first_interface_address_if_any() that returns no address > >assigned yet as it needs a router advertisement to do so. All > >interfaces on my machine have that problem as I am using the wide > >dhcpv6 client to retrieve a prefix delegation from the modem on the > >interface that has accept_ra set. Would it be possible to remove > >the test for the interface address? > > That same code gets executed during start/restart. Look at the function > detect_configuration() in the generated firewall script; that gets called > for start/restart and for enable. So I don't believe that is the root > cause of your problem.
Thanks for the pointer Tom. What happens at a shorewall start (for firewall start) is that define_firewall gets called that sets the forwarding and accept_ra unconditionally. Function define_firewall() get called at an "up" event ONLY when the firewall was not started before (from updown() ). In case of an "up" event when the firewall is started, we then check for a non-link local address being defined (which is not the case) and we skip the setting of the forward and accept_ra proc/sys variables.... I am not sure what to suggest, but there is some inconsistency here that does cause forwarding and accept_ra not to be set in case of an "up" event (if the firewall is not started before) and just (re)starting the firewall. Another question that is just about consistency but does not affect operation: what is the reason that accept_ra is set from setup_common_rules() while forwarding is set from the body of define_firewall()? Just curious.... Thanks for you kind help Louis ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
