Ljubomir Ljubojevic wrote: >> There is a defect in Shorewall that causes the startup failure when >> an optional interface has multiple providers through it and >> Shorewall is unable to determine the MAC address of one or more of >> the GATEWAYs. That bug will be somewhat difficult to fix and, when >> fixed, your firewall still won't restart properly under the same >> circumstances.
The attached patch to /usr/share/shorewall/Shorewall/Providers.pm should prevent the startup failure. If the MAC of the remote gateway is not detectable, the provider does not come up. > I have noticed that br0 even when up does not function for 5-10 > seconds more. That happens and on my desktop with br0 interface > connected to eth0 and Virtualbox virtual machines but without any > firewall what so ever. Network Monitor tray icon starts flashing > active but ping does not work for several seconds more. That explains the failure then. >> Note the identical MAC addresses in the two rules -- without seeing >> /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall >> bug or a configuration error. >> > That is not a bug. I have only one gateway machine, using one NIC > (one MAC) for both public subnets. Thanks for the explanation. > I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is > the way to go, > The thing that would be nice to see is updated Webmin module for > shorewall, at least possibility to select currently unaccessible > files (like tc_rules) for manual editing. that would make sure my > shorewall howto's are much easier to follow. Maintenance of the Webmin module is outside of the Shorewall project. > > I will also try the init workaround and report the results, and you > could maybe think about adding it as a configuration value to avoid > tainting the internals. /etc/shorewall/init is intended for just this sort of thing. Adding commands to that file is not 'tainting the internals'. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/4.2/Shorewall-perl/Shorewall/Providers.pm b/4.2/Shorewall-perl/Shorewall/Providers.pm
index ce96414..99b70e4 100644
--- a/4.2/Shorewall-perl/Shorewall/Providers.pm
+++ b/4.2/Shorewall-perl/Shorewall/Providers.pm
@@ -259,26 +259,28 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
- my $provider = chain_base $table;
- my $base = uc chain_base $interface;
+ my $provider = chain_base $table;
+ my $base = uc chain_base $interface;
+ my $gatewaycase = '';
if ( $gateway eq 'detect' ) {
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface;
- start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+ $gatewaycase = 'detect';
} else {
- start_provider( $table, $number, "if interface_is_usable $interface; then" );
if ( $gateway && $gateway ne '-' ) {
validate_address $gateway, 0;
+ $gatewaycase = 'specified';
} else {
+ $gatewaycase = 'none';
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gateway = '';
- emit "run_ip route add default dev $interface table $number";
}
}
my $val = 0;
+ my $pref;
if ( $mark ne '-' ) {
@@ -298,13 +300,7 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
}
- my $pref = 10000 + $number - 1;
-
- emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
-
- emit ( "run_ip rule add fwmark $mark pref $pref table $number",
- "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
- );
+ $pref = 10000 + $number - 1;
}
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
@@ -379,8 +375,22 @@ sub add_a_provider( $$$$$$$$ ) {
my $realm = '';
if ( $shared ) {
- $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+ my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number";
+ start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+ } elsif ( $gatewaycase eq 'detect' ) {
+ start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+ } else {
+ start_provider( $table, $number, "if interface_is_usable $interface; then" );
+ emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+ }
+
+ if ( $mark ne '-' ) {
+ emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+
+ emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+ "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+ );
}
if ( $duplicate ne '-' ) {
@@ -456,10 +466,19 @@ sub add_a_provider( $$$$$$$$ ) {
emit 'else';
if ( $optional ) {
- emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"",
- " ${base}_IS_UP=" );
+ if ( $shared ) {
+ emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
+ } else {
+ emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+ }
+
+ emit( " ${base}_IS_UP=" );
} else {
- emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+ if ( $shared ) {
+ emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
+ } else {
+ emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+ }
}
emit "fi\n";
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
