[Shorewall-users] SW's default findgw looks in wrong dhcp lease location on opensuse+wicked net stack

[PGNd]

I'm switching my current linux box from staticIP -> dynamicIP via dhcp.

On net start of my linux box, connecting via native wicked dhcp on Opensuse 
13.2,

        wicked ifdown eth0 && wicked ifup eth0

I have connectivity

        ip -4 addr show dev eth0
                4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
pfifo_fast state UP group default qlen 1000
                    inet AA.AA.AA.215/22 brd BB.BB.BB.255 scope global eth0
                       valid_lft forever preferred_lft forever
        ip route show
                default via AA.AA.AA.1 dev eth0  proto dhcp 
                AA.AA.AA.0/22 dev eth0  proto kernel  scope link  src 
AA.AA.AA.215 
                10.1.1.0/24   dev eth1  proto kernel  scope link  src 
10.1.1.100 

        ping -c 3 8.8.8.8
                PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
                64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=25.7 ms
                64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=25.6 ms
                64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=25.2 ms

                --- 8.8.8.8 ping statistics ---
                3 packets transmitted, 3 received, 0% packet loss, time 2003ms
                rtt min/avg/max/mdev = 25.263/25.578/25.775/0.225 ms

But on shorewall start

        systemctl start shorewall-lite

I lost connection

        ping -c 1 8.8.8.8
                PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
                (no response)

Checking the routes, SW's changed the default route, assigning the wrong gateway

        ip route show
                default via XX.XX.XX.1 dev eth0 
                XX.XX.XX.1 dev eth0  scope link  src AA.AA.AA.215 
                AA.AA.AA.0/22 dev eth0  proto kernel  scope link  src 
AA.AA.AA.215 
                10.1.1.0/24   dev eth1  proto kernel  scope link  src 
10.1.1.100 

That XX.XX.XX.1 has nothing to do with my current ISP or config -- it's a VERY 
old gateway from years ago.

I'd no idea where Shorewall's was getting that "XX.XX.XX.1" gateway.

It's not in my shorewall config sources

        cd /usr/local/etc/shorewall
        grep -rlni XX.XX.XX .
                (empty)

It's not in the target firewall

        cd /var/lib/shorewall-lite
        grep -rlni XX.XX.XX .
                (empty)

And it's not in the dhcp lease file.

        grep XX.XX.XX /var/lib/wicked/lease-eth0-dhcp-ipv4.xml
                (empty)

tracing the restart finds the source

        +++ gateway=
        +++ file=/var/lib/dhcpcd/dhcpcd-eth0.info
        +++ '[' -z '' -a -f /var/lib/dhcpcd/dhcpcd-eth0.info ']'
        ++++ grep '^GATEWAYS=' /var/lib/dhcpcd/dhcpcd-eth0.info
        +++ eval 'GATEWAYS='\''XX.XX.XX.1'\'''
        ++++ GATEWAYS=XX.XX.XX.1
        +++ '[' -n XX.XX.XX.1 ']'
        +++ GATEWAYS=XX.XX.XX.1
        +++ gateway=XX.XX.XX.1
        +++ for file in '"${VARLIB}/dhcp/dhclient-${1}.lease"' 
'"${VARLIB}/dhcp/dhclient.${1}.leases"'
        +++ '[' -n XX.XX.XX.1 ']'
        +++ break
        +++ '[' -n XX.XX.XX.1 ']'
        +++ echo XX.XX.XX.1
        ++ gateway=XX.XX.XX.1
        ++ '[' -n XX.XX.XX.1 ']'
        ++ '[' -n XX.XX.XX.1 ']'
        ++ '[' -n XX.XX.XX.1 ']'
        ++ echo XX.XX.XX.1
        + SW_ETH0_GATEWAY=XX.XX.XX.1

It's

        /var/lib/dhcpcd/dhcpcd-eth0.info

a very old, pre-'wicked' networking stack dhcp lease file left dangling around.

Removing

        rm -f /var/lib/dhcpcd/*eth0*

Now, cycling SW no longer breaks the route & connection.

        wicked ifdown eth0 && wicked ifup eth0
        shorewall-lite restart
        ping -c 1 8.8.8.8
                PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
                64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=25.6 ms

                --- 8.8.8.8 ping statistics ---
                1 packets transmitted, 1 received, 0% packet loss, time 0ms
                rtt min/avg/max/mdev = 25.642/25.642/25.642/0.000 ms
        ip show route
                default via AA.AA.AA.1 dev eth0 
                AA.AA.AA.0/22 dev eth0  proto kernel  scope link  src 
AA.AA.AA.215 
                AA.AA.AA.1    dev eth0  scope link  src AA.AA.AA.215 
                10.1.1.0/24   dev eth1  proto kernel  scope link  src 
10.1.1.100 

IIUC, SW's not 'getting' the SW_ETH0_GATEWAY / SW_ETH0_ADDRESS

SW's default "findgw" 

        #if [ -f /var/lib/dhcp/dhclient.${1}.lease ]; then
        #    grep 'option routers' /var/lib/dhcp/dhclient.${1}.lease | tail -n 
1 | while read j1 j2 gateway; do echo $gateway | sed 's/;//'; return 0; done
        #fi

appears unaware of

        /var/lib/wicked/lease-eth0-dhcp-ipv4.xml

et al.

Should wicked's default lease location be added to that default SW code/search 
path?  With priority if/when wicked is in use?

Or should this be left to the end-user to DIY in

        SHOREWALL/findgw

config?  If so, what's the right method to ensure that SW_ETH#_GATEWAY / 
SW_ETH#_ADDRESS get correctly populated when 'detect' in providers is set for a 
given interface, when using custom findgw code?

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users