Re: [Shorewall-devel] linux-3.17: WARNING: Unable to set log backend to ipt_LOG

Wed, 05 Nov 2014 05:16:01 -0800 

Hi,

the patch works, but:


1) I need to restart shorewall twice again:

  0: Running system with linux-3.17.2

  1: Applying the patch

  2: # shorewall safe-restart
     [...]
     Setting up log backend
     /var/lib/shorewall/.start: line 2079: echo: write error: No such
file or directory
     WARNING: Unable to set log backend to nf_log_ipv4

  3: # shorewall safe-restart
     => 2nd restart succeeded

     That's not a good user experience.


2) I now have a working compiled firewall in /var/lib/shorewall.
   When I now reboot from linux-3.17.2 back into linux-3.16.6,
   the firewall script still works. No error on start, LOG_BACKEND
   will be set to ipt_LOG.

   But when I restart again, this time from linux-3.16.6 back to
   linux-3.17.2 (a typical upgrade scenario), the first boot with
   linux-3.17.2 will show me the following error

   [...]
   * Starting shorewall ...
   /var/lib/shorewall/.start: line 2079: echo: write error: No such file
or directory
   WARNING: Unable to set log backend to nf_log_ipv4

   I need to restart shorewall by hand to get this fixed.



On 2014-11-05 04:48, Tom Eastep wrote:
> In general, the compiler can't validate the value since it can be
> running on a system other than where the firewall is to run under
> Shorewall-lite.

Well, your current patch is doing some kind of validation like I was
thinking of. The only difference: You are still using your own value
("LOG" instead of "ipt_LOG"), so shorewall needs to keep up with
upstream. I am suggesting to drop your own name so shorewall don't need
to keep up with upstream, we move the responsibility to the user.

OK, that's still not perfect: I bet that if we follow my suggestion,
most people upgrading from <=linux-3.16 to >=linux-3.17 will get the
error on their first boot before they will recognize they need to update
their shorewall.conf, too.
So if shorewall would know "if it is not $foo, than it must use value
$bar", this would help... but than again, shorewall would be the one
which always needs to be up-to-date with upstream.


-Thomas


------------------------------------------------------------------------------
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to