On 09/22/2012 07:57 AM, Tom Eastep wrote: > On 09/21/2012 07:57 PM, Tarqi Kazan wrote: >> Wow, >> >> why so rude? I just try to help and to understand what's going on. >> >> So if it's autoloaded because of my config: >> >> I am not using snmp, sip or anything, so I haven't configured this. It's all >> based on the 2 gateway example. I even don't know what's "Amanda". >> >> I also could have stopped to investigate after I found my problem, but I >> thought it may be a good thing for you, that I dig deeper. If you don't like >> that people trying contribute, simply close the mailing-list. >> > > I apologize, Tarqi. I realized when I woke up this morning that you may > be running into the changes I made to support kernel 3.5 and later. > > Let's go back to one of your previous posts: > >> I did the following: >> - copied "helpers" to /etc/shorewall AND commented out the modules >> - set strongwall.conf "AUTOHELPERS" to "No" >> - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" >> - set strongwall.conf "HELPERS" to "" >> > > Even with LOAD_HELPERS_ONLY=Yes, the compiler is unconditionally > checking for the presence of all of the application helpers. It is > checking by running iptables commands that will autoload each of the > helper modules. > > You can avoid this behaviour by creating a capabilities file: > > shorewall show -f capabilities > /etc/shorewall/capabilities > > Now, if you reboot, only the modules that you actually use will be loaded. > > Back to your original problem, did you have AUTOHELPERS=No all along? > With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically > modified /etc/shorewall/conntrack to associate the PPTP helper with TCP > port 1729, the behaviour of the system should be the same as if you > hadn't loaded the module at all. > > If it is not, then we need to investigate further.
Here is a lightly-tested patch that does not probe the helpers when LOAD_HELPERS_ONLY=Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index ebc28db..176e745 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3624,17 +3624,6 @@ sub determine_capabilities() {
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
- if ( have_capability 'CT_TARGET' ) {
- $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
- 'FTP0_HELPER',
- 'IRC0_HELPER',
- 'SANE0_HELPER',
- 'SIP0_HELPER',
- 'TFTP0_HELPER' );
- } else {
- $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
- }
-
unless ( $config{ LOAD_HELPERS_ONLY } ) {
#
# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -3718,6 +3707,17 @@ sub determine_capabilities() {
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
+ if ( have_capability 'CT_TARGET' ) {
+ $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
+ 'FTP0_HELPER',
+ 'IRC0_HELPER',
+ 'SANE0_HELPER',
+ 'SIP0_HELPER',
+ 'TFTP0_HELPER' );
+ } else {
+ $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+ }
+
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
qt1( "$iptables -F $sillyname1" );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
