On 11/5/2014 5:14 AM, Thomas D. wrote: > Hi, > > the patch works, but: > > > 1) I need to restart shorewall twice again: > > 0: Running system with linux-3.17.2 > > 1: Applying the patch > > 2: # shorewall safe-restart > [...] > Setting up log backend > /var/lib/shorewall/.start: line 2079: echo: write error: No such > file or directory > WARNING: Unable to set log backend to nf_log_ipv4 > > 3: # shorewall safe-restart > => 2nd restart succeeded > > That's not a good user experience. > > > 2) I now have a working compiled firewall in /var/lib/shorewall. > When I now reboot from linux-3.17.2 back into linux-3.16.6, > the firewall script still works. No error on start, LOG_BACKEND > will be set to ipt_LOG. > > But when I restart again, this time from linux-3.16.6 back to > linux-3.17.2 (a typical upgrade scenario), the first boot with > linux-3.17.2 will show me the following error > > [...] > * Starting shorewall ... > /var/lib/shorewall/.start: line 2079: echo: write error: No such file > or directory > WARNING: Unable to set log backend to nf_log_ipv4 > > I need to restart shorewall by hand to get this fixed.
Upstream have clearly changed the module names *again*. Can you send me
the output of "lsmod" so I can try to understand what they have changed?
> On 2014-11-05 04:48, Tom Eastep wrote:
>> In general, the compiler can't validate the value since it can be
>> running on a system other than where the firewall is to run under
>> Shorewall-lite.
>
> Well, your current patch is doing some kind of validation like I was
> thinking of. The only difference: You are still using your own value
> ("LOG" instead of "ipt_LOG"), so shorewall needs to keep up with
> upstream. I am suggesting to drop your own name so shorewall don't need
> to keep up with upstream, we move the responsibility to the user.
>
> OK, that's still not perfect: I bet that if we follow my suggestion,
> most people upgrading from <=linux-3.16 to >=linux-3.17 will get the
> error on their first boot before they will recognize they need to update
> their shorewall.conf, too.
> So if shorewall would know "if it is not $foo, than it must use value
> $bar", this would help... but than again, shorewall would be the one
> which always needs to be up-to-date with upstream.
That's what my current patch does.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
