On Thu, 31 Dec 2009 15:25:14 -0500 "Brian J. Murrell" <[email protected]> wrote:
> On Thu, 2009-12-31 at 07:53 -0800, Tom Eastep wrote: > > > > In no particular order: > > > > a) Yes -- Shorewall uses a lock file to serialize operations that > > change the firewall state. Unless the 'lockfile' utility is > > installed, however, the algorithm used is race-prone. > > And still results is the possibility of more than one shorewall > process being in memory, although perhaps waiting for other shorewall > processes to complete? Sure. > > > c) It is most common to: > > > > 1) Start Networking > > Does this imply all network interfaces are up when this step is > done? I only ask because distributions (OpenWRT, Ubuntu -- or > anything with upstart) seem to be moving away from the serialized > initscript model where one can assume interfaces are up after the > "start networking" script is complete. > > More and more, it seems, distributions are moving to a parallelized > initscript model where each interface coming up is handled in it's own > context and there is no "all interfaces are now up" signal. This is > where it gets ugly to try to restart shorewall for each interface that > has come up. In Ubuntu, '/etc/init.d/networking' still ends up running 'ifup -a'. So it means that ifup -a has completed. In the Debian/Ubuntu/... shorewall init script, there is the capability to wait for a list of interfaces to be ready (with timeout). That can take care of stragglers that are slow in starting (usually ppp devices). > > > 2) Start Shorewall > > 3) Start a link monitor like LSM assuming that all > > interfaces are up. > > From what I could tell at http://www.shorewall.net/MultiISP.html LSM > is basically an "add-on" tool to do much of what OpenWRT's "hotplug" > does where an interface going up or down triggers a script to be run. LSM monitors interfaces by actually using them (ping or arping) and calls a script when the state of an interface changes. At startup, it assumes all monitored interfaces are up. > > > Since interfaces most commonly come up at boot, > > Right, and you model assumes that all of the interfaces are up at the > exit of the "start networking" step. That's where more modern > distributions are going to fall down. I think there is a need for a 'network startup complete' event which signals that an attempt has been made to start all interfaces. This appears to still be available in Ubuntu by making $network a startup prerequisite of shorewall. > > > the link monitor > > finds all interfaces up and running and there is no storm of > > activity required. > > Indeed. I had envisioned something like this for OpenWRT in fact, > where, somehow, that first "down->up" transition does not trigger a > shorewall restart (reload in fact) and, again, somehow, shorewall > would be started after all interfaces have been brought up by the > boot. The mechanism in the Debian/Ubuntu Shorewall startup scripts might fit your need. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
