On 5/25/13 3:14 PM, "Dash Four" <[email protected]> wrote:
> >>> >>> The 'start' and 'started scripts are run at the very end of the >>>firewall >>> script's execution. Again, I want to look at the 'firewall' script. >>> >> I am assuming a similar thing is happening here. Although I do not >> have "net.netfilter.nf_conntrack_helper" set in my sysctl.conf (maybe >> I should explicitly disable it and set it to 0), I presume the >> "default" value if nothing specified is 1 (enabled). Shorewall has two >> places where it manipulates this variable: at start where it does >> "echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper", and then >> again, when the firewall is at stopped state it does the opposite - >> "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper". I notice that >> there isn't a diagnostic message displayed when this operation is done >> - maybe it is a good idea for you to add one. >> >> If "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper" triggers all >> of the above messages (or if the system's default value of >> "nf_conntrack_helper" is 1), then by simply adding >> "net.netfilter.nf_conntrack_helper=0" to my sysctl.conf file should >> eliminate these obnoxious messages appearing, correct? >I think this error comes from shorewall-init. > >When the system boots up, shorewall-init is first started before any of >the interfaces or shorewall are brought up/started. shorewall-init >compiles "firewall" *and* stops the firewall, triggering "echo 1 > >/proc/sys/net/netfilter/nf_conntrack_helper". Since the >"nf_conntrack_helper" is now in enabled state, when the interfaces are >then brought up one by one by the system, this causes all of the >messages to appear. This is self-evident from the repeated helper >messages I enclosed previously - they repeat 3 times, which is exactly >the number of devices I asked the OS to bring up at startup. > >Even if I explicitly disable the helpers in my sysctl.conf file, that >won't do me any good since the compiled "firewall" script explicitly >enables my helpers when the firewall is stopped, which is wrong and >should be corrected. Patch attached. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice.
CLEARHELPER.patch
Description: Binary data
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
