On Mon, 2013-04-15 at 11:39 -0700, Tom Eastep wrote: > On 04/15/2013 11:11 AM, Louis Lagendijk wrote: > > On Mon, 2013-04-15 at 11:04 -0700, Tom Eastep wrote: > >> On 04/15/2013 10:47 AM, Louis Lagendijk wrote: > >>> On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote: > >>>> On 4/12/13 2:22 PM, "Louis Lagendijk" <lo...@fazant.net> wrote: > >>>> > >>>>> > >>>>> hello Tom, > >>>>> After playing with shorewall-init a bit more, I have some more issues: > >>>>> > >>>>> 1) shorewall6: accept_ra does not get restored when the network is > >>>>> restarted. A shorewall restart fixes that. I would have expected > >>>>> ifup-local to perform the same settings as a shorewall restart does. Am > >>>>> I missing something? > >>>>> I hve traced the problem to interface_is_usable() in the firewall > >>>>> script: > >>>>> it uses find_first_interface_address_if_any() that returns no address > >>>>> assigned yet as it needs a router advertisement to do so. All > >>>>> interfaces on my machine have that problem as I am using the wide > >>>>> dhcpv6 client to retrieve a prefix delegation from the modem on the > >>>>> interface that has accept_ra set. Would it be possible to remove > >>>>> the test for the interface address? > >>>> > >>>> That same code gets executed during start/restart. Look at the function > >>>> detect_configuration() in the generated firewall script; that gets called > >>>> for start/restart and for enable. So I don't believe that is the root > >>>> cause of your problem. > >>> > >>> Thanks for the pointer Tom. What happens at a shorewall start (for > >>> firewall start) is that define_firewall gets called that sets the > >>> forwarding and accept_ra unconditionally. Function define_firewall() get > >>> called at an "up" event ONLY when the firewall was not started before > >>> (from updown() ). In case of an "up" event when the firewall is > >>> started, we then check for a non-link local address being defined (which > >>> is not the case) and we skip the setting of the forward and accept_ra > >>> proc/sys variables.... I am not sure what to suggest, but there is some > >>> inconsistency here that does cause forwarding and accept_ra not to be > >>> set in case of an "up" event (if the firewall is not started before) and > >>> just (re)starting the firewall. > >> > >> Are you using entries in /etc/shorewall6/providers or are you just > >> defining these interfaces to be 'optional' in /etc/shorewall6/interfaces? > >> > > I am using /etc/shorewall/interfaces, as I have only one provider: my > > ISP via my VDSL modem that does prefix delegation and route > > advertizements. > > What I have is a faily simple setup > > > > But you need to define the interfaces as 'optional'? Ah, removing the optional does the trick: interfaces that have accept_ra set shall not be marked optional nor required (the latter causes problems starting the firewall at all).
Thanks for the help Tom! Kind regards, Louis ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
