On 08/11/2017 01:13 AM, Vieri Di Paola via Shorewall-users wrote: > ________________________________ > From: Tom Eastep <teas...@shorewall.net> >> >> The stopped state is NOT longer in 5.1. The compilation step is longer, > >> but the time to run the script once it is compiled should be very close >> to the same. > > OK, I don't know why I was previously getting such a long connection outage > while shorewall 5.1 was restarting, and I can't seem to reproduce this today. > > I also realize now (or correct me if I'm wrong) that the access rules and > routing tables are "still there" when shorewall is compiling and optimizing > rules. They are flushed afterwards, and there should be no big difference > between 5.0 and 5.1. >
That is correct. > However, I must say that I've reproduced the following behavior several times > now. > > If I *only* have stoppedrules defined as: > > ACCEPT $IF_LAN $IF_CAIB > > (and no custom routing during the stopped state) > > then I'm still seeing messages like this one (during the time frame when > shorewall has flushed the routing tables): > > From 172.16.0.2 icmp_seq=7 Time to live exceeded > > This happens whether I "restart" or "reload" (tested on 5.1, and yes, also > 5.0, as you said should behave similarly). > > Of course, the ping statistics show that there were lost packets: > > 721 packets transmitted, 680 received, +2 errors, 5% packet loss > > Some corporate applications are either very sensitive or poorly programmed, > and do not tolerate packet loss. > > Now, if I also add the following routes as in this example: > > [ "stopped" file contains ] > route add -net 10.215.0.0/17 gw $ADDR_GW_CAIB > > [ "start" file contains ] > route del -net 10.215.0.0/17 > return 0 So why don't you simply leave that route in place all of the time? Just define it in your distribution's networking config. > > I can then test continuous pings to the CAIB zone from the LAN zone while I > restart/reload shorewall several times, and I am unable to reproduce the > "Time to live exceeded" issue. > In other words, I am not losing a single ping (5.1 and 5.0). > I don't know if this is mere randomness, but I've tried it once and again. > > BTW, I noticed that the shorewall start command has the -n option > which avoids updating the routing tables. Would it make sense for future > shorewall releases to include a similar -n option for the stop command > so Shorewall does not flush the routing tables during the stopped phase > or when reloading? The 'reload' command already supports the -n option. > Maybe additional -n0 and -0n options could be passed to the restart commands > so that: > 1) -n is equivalent to shorewall stop && shorewall start -n which is the way that it works today > 2) -0n is the same (equivalent to shorewall stop && shorewall start -n) > 3) -n0 is equivalent to shorewall stop -n && shorewall start > 4) -nn is equivalent to shorewall stop -n && shorewall start -n > The command "stop -n" should not flush "ip route" or "ip rule". > > > The reload command could also use the -n0, -0n, -nn options for the same > purpose. Unnecessary -- 'reload' and 'start' are basically the same command. The main difference being that UPnP rules and non-IPSET dynamic blacklisting is preserved during 'reload'. > > > I would also like to know if the INCLUDE directive is available in the > following files, and if the variables defined in the params file are also > available: > 1) start > 2) started > 3) stopped > Yes. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
