On 08/05/14 07:29, Brian Burch wrote: > On 08/05/14 00:16, Tom Eastep wrote: >> On 5/7/2014 3:17 PM, Tom Eastep wrote: >>> On 5/7/2014 2:55 PM, Tom Eastep wrote: >>>> On 5/7/2014 11:41 AM, Brian Burch wrote: >>>>> On 07/05/14 18:07, Tom Eastep wrote: >>> >>>>> >>>>> My shorewall 4.5.21.3 was working fine with ubuntu 13.10 running the >>>>> 3.11 lowlatency kernel. >>>>> >>>>> Last weekend I upgraded to ubuntu 14.04 with the 3.13 lowlatency kernel. >>>>> Every time shorewall started, the system completely froze. >>>>> >>>>> Since then I've been trying to unpick the symptoms. All I need to do is >>>>> "shorewall show compatibilities" and the system dies completely - the >>>>> console listing shows most of the capabilities, but the mouse and >>>>> keyboard are dead. I can't even ping the system and have to do a hard >>>>> power-off. >>>>> >>>>> Currently, I have shorewall stopped and the system works fine until I >>>>> ask shorewall to go near the kernel. >>>>> >>>>> I have the same symptoms with the 3.13 generic kernel. I also did an >>>>> update of shorewall to 4.5.21.9 from the tar.bz's, but nothing seems to >>>>> have changed. >>>>> >>>>> Unfortunately "shorewall dump" freezes the system as well!!!! >>>>> >>>>> I intended to spend more time on problem determination before I bothered >>>>> you, but I decided a quick heads up might save us all some time. >>>> >>>> Sounds like Netfilter is badly broken on your system. 'shorewall dump' >>>> does nothing but run iptables and iproute2 query commands. >>>> >>> >>> I'll take that back -- later versions display the capabilities so 'dump' >>> is a superset of 'show capabilities'. >> >> Just installed 14.04 Desktop and Shorewall 4.6.0-RC2. Works fine. >> >> -Tom > > Thanks Tom. As I said earlier, this system has been upgraded through > about 3 releases of ubuntu and 4 or 5 of shorewall. I wasn't implying > the culprit was shorewall - more like the victim! > > I need to narrow the problem down. Your thoughts have given me several > things to try today, particularly using the atomic system commands > rather than shorewall.
Good news at last! iptables, ip route, ip link, ipset list all work fine. shorewall show config, policies, zones, routing all work fine. shorewall show capabilities lists as far as "ULOG available" on the terminal session, returns to a command prompt and then the system freezes instantly. These tests were all made with my previously-working configuration, but with shorewall stopped. --- I then manually removed everything I could find about shorewall and installed it carefully from the 4.5.21.9 tar.bz files. (Incidentally, the md5's were all correct). The only changes I made was to shorewall.conf was STARTUP_ENABLED=No (obviously!) and LOGFILE=/var/log/syslog (messages does not exist on my distribution). /etc/shorewall/ contained only the distribution copies of conntrack, params and shorewall.conf (i.e. none of my rules, or even a zone file). shorewall status said it was not running. I went through the tests above on this "clean" shorewall install. The system froze again at the end of shorewall show capabilities. shorewall compile froze the system too. I tried unpicking lib.cli to find the system commands it was using in these cases. I was luck that piping the output of the compile to a file captured a few lines - the last one was "Loading Modules..." I checked my dkms modules and found the package xtables-addons-dkms is at the latest recommended level for ubuntu trusty, i.e. 2.3-1. I googled (more in desperation than confidence) and up popped this! https://bugs.launchpad.net/ubuntu/+source/xtables-addons/+bug/1286911 Although I would have liked to retain my geoip support, it isn't any good if I can't run shorewall without it crashing my system! I purged the package but keept xtables-addons-common (I really need ipsets) and libxtables10. shorewall works fine now! I suppose I could inject xtables 2.4 into my system as a test, but I'll wait for a while to see whether it appears in the standard repositories soon. I hope this tale is helpful. Thanks for your advice, Tom. Brian > Brian > >> >> >> ------------------------------------------------------------------------------ >> Is your legacy SCM system holding you back? Join Perforce May 7 to find out: >> • 3 signs your SCM is hindering your productivity >> • Requirements for releasing software faster >> • Expert tips and advice for migrating your SCM now >> http://p.sf.net/sfu/perforce >> >> >> >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
