On Wed, 30 Dec 2009 22:21:25 -0500 "Brian J. Murrell" <[email protected]> wrote:
> On my (OpenWRT) router, I have an "/etc/init.d/shorewall-lite
> restart" (which effectively is shorewall-lite restore) executed during
> an "interface transition" (i.e. up/down) event. This is to allow
> shorewall to adjust the rules and/or routing when an interface changes
> state. TBH, I don't so much care about the interface down event as
> much as I care about an interface coming up when shorewall was
> restarted with an interface being down. But I digress.
>
> The ugly side effect of this is that when the router initially boots,
> lots of "interface up" events are triggered and thus many
> "overlapping"/parallel shorewall-lite restore commands are run. This
> is silly of course[1].
>
> My knee-jerk reaction is to simply have shorewall-lite exit if there
> is an instance running already, but given more thought, that seems
> backwards. The earlier instance might have already assessed the
> interface for which the new instance is being called and thus, the
> earlier instance has a stale view of the interface status. So it
> seems the right thing to do is for the new instance to kill the
> earlier instance before it (the new instance) starts doing it's
> thing. This would continue to happen until the last of the initial
> boot "interface up" events runs to completion.
>
> Thots?
In no particular order:
a) Yes -- Shorewall uses a lock file to serialize operations that
change the firewall state. Unless the 'lockfile' utility is
installed, however, the algorithm used is race-prone.
b) Hopefully, you have defined the volatile interfaces as 'optional' so
a simple 'shorewall restart' is all that is needed.
c) It is most common to:
1) Start Networking
2) Start Shorewall
3) Start a link monitor like LSM assuming that all interfaces
are up.
Since interfaces most commonly come up at boot, the link monitor
finds all interfaces up and running and there is no storm of
activity required. If one of the interfaces is down, LSM soon
discovers it and restarts Shorewall.
Note -- at least one user with whom I am familier, uses LSM to
start Shorewall. That handles the situation where a link comes up
between steps 2) and 3).
d) I think that it is the Link Monitor's responsibility to avoid this
chaos and not Shorewall's.
My $.02.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
