Dear Tom,
I, Andrzej Odyniec wrote:
> Tom Eastep wrote:
>>>I suspect changed behavior of new kernel or new Shorewall.
>>
>>There is no way that I know of that Shorewall could make this happen.
>>Have you compared the output of 'shorewall show nat' on the two
>>different versions?
[...]
> So problem is rather not in Shorewall but in netfilter, netfilter patches or
> kernel with patches (iproute2?). Maybe grsec?
New kernel: 2.6.31.7-grsec solved problem, but not automatically... just after
change /proc/sys/net/ipv4/conf/all/rp_filter to "0". rp_filter on interfaces I
have "0".
In /etc/shorewall/shorewall.conf I have from always ROUTE_FILTER=No.
But in compiled /var/lib/shorewall/filter is in setup_common_rules:
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
It seems, changes in ip routing kernel module changed behavior of
/proc/sys/net/ settings deeper, than we expect. So there is not only new value
"2" of rp_filter, but "all" settings is enabling rp_filter on interfaces. I
think, for understanding we need read Kuznietsov code in kernel. And I think,
it is possibility to exotic dance of this behavior in new kernels.
So I temporarily added to /etc/shorewall/start
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
and now in 2.6.31 kernel with patch set 7 all is working OK.
In 2.6.29 kernels this was not necessary.
Regards
Andrzej Odyniec
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
