On 08/10/2017 01:07 AM, Vieri Di Paola via Shorewall-users wrote:
> I'm asking because I'm seeing two issues with the restart command when trying 
> to move from shorewall to a more recent version (eg.
> According to 
> http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.14/releasenotes.txt, 
> the "restart" option should behave the same way. So, if RESTART=restart then 
> a "true" restart is done (stop&start). It won't be a "reload".

No. If you take an existing 5.0 configuration and do a 'shorewall
update' on 5.1, THEN 'restart' will work the same as it did before the
upgrade. If you build a new configuration of 5.1 and leave
RESTART=restart, then 'restart' will behave differently than on 5.0.

So if you want 'restart' to behave as it did in 5.0, then you must have
RESTART=reload in shorewall.conf.

> On both of my old and new shorewall systems, RESTART=restart. 
> ADMINISABSENTMINDED is also set to Yes.
> First issue:
> Here's what I see when I ping to a host in CAIB zone at from a 
> host in LAN zone while running "shorewall restart".
> [...]
> 64 bytes from icmp_seq=4 ttl=59 time=4.06 ms
> 64 bytes from icmp_seq=5 ttl=59 time=2.77 ms
> 64 bytes from icmp_seq=6 ttl=59 time=2.30 ms
> From icmp_seq=7 Time to live exceeded
> 64 bytes from icmp_seq=8 ttl=59 time=2.97 ms
> 64 bytes from icmp_seq=9 ttl=59 time=4.23 ms
> 64 bytes from icmp_seq=10 ttl=59 time=2.98 ms
> This is the content of stoppedrules:
> ACCEPT          $IF_LAN                 $IF_IBS
> ACCEPT          $IF_LAN                 $IF_CAIB
> The IP addr. is on a gateway out the WAN interface.
> The providers file contains:
> WAN     1       1       -       $IF_WAN         $ADDR_GW_WAN    track,primary
> CAIB    2       2       -       $IF_CAIB        $ADDR_GW_CAIB   
> track,fallback=1
> IBS     3       3       -       $IF_IBS         $ADDR_GW_IBS    
> track,fallback=1
> The rtrules file contains:
> -                        CAIB            11692
> So I guess that if I wanted to allow all traffic from lan to caib and to ibs 
> then I would also have to modify the routing table.
> I think I should do this in the "stopped" file with something like this:
> route add gw $ADDR_GW_CAIB
> I haven't tried it though. Does it make sense?


> Also, would I need to remove the route entries listed in "stopped" when 
> shorewall starts again? Would I need to add something like this in the 
> "started" or "start" files? Which file BTW? (I would need to do that before 
> Shorewall starts handling routes)
> route del
> Alternatively, if I could do without running the code in "stopped" and 
> "started" then I could issue a "shorewall reload".
> However, I've seen the "From icmp_seq=38 Time to live exceeded" 
> message even when issuing a "reload".
> So it seems that in this particular case (maybe due to the providers&rtrules 
> settings) a reload and a restart behave alike (only tested with as 
> is not in production yet).

In both 'restart' and 'reload', the provider routing tables and rules
are purged then reloaded. But they were purged and reloaded on 5.0 as well.

> The second issue regards performance on a restart or a reload.
> Both of my systems (5.0 / 5.1) have the same ruleset of about 7000 lines.
> Shorewall 5.0 is running on a "weak" server whereas 5.1 is on much more 
> powerful hardware.
> With 5.0:
> # time /etc/init.d/shorewall restart
> [...]
> real    0m14.793s
> user    0m8.780s
> sys     0m1.480s
> With 5.1:
> # time /etc/init.d/shorewall restart
> [...]
> real 0m45.981s
> user 0m42.410s
> sys  0m2.310s
> The difference between the two is staggering.
> It's probably due to the OPTIMIZE option in shorewall.conf, right?


> In shorewall the default value for OPTIMIZE is 0.
> In the default value is All despite the man page saying that "The 
> default value is zero which disables all optimizations" (that was true for 
> older versions).
> So I guess I have to set OPTIMIZE=0 or None in 5.1 in order to get similar or 
> better timings.


> BTW, I'm wondering if the OPTIMIZE option could somehow explain the other 
> issue I'm having in the ML thread "traffic issues through firewall router".
> I'll do a test asap.

I doubt it.

Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to