On 8/25/19 9:11 AM, Dominic Hargreaves wrote: > Hi there, > > I'm porting an existing configuration (managed by ansible, not that I > believe that to be relevant) to Debian buster. I'm seeing a strange > behaviour where most of the time, rules are simply not updated after > a reload or restart. I noticed that when this happens, the file > /var/lib/shorewall/firewall is not updated - it maintains the mtime of > the last run that did manage to change things. It's also noticable > that the compile stage is not running, particularly the absence of > messages when running with -vv. > > Meanwhile, the mtime of /var/lib/shorewall/.iptables-restore-input > does change, but it's referring to out of date data - that from > /var/lib/shorewall/firewall, presumably. > > Removing /var/lib/shorewall/firewall forces recompilation to happen > and the correct rules to be deployed. > > /etc/shorewall/shorewall.conf is the packaged default and hasn't been > changed. I'm starting shorewall with systemd, but the same thing happens > when running manually or via ansible. > > What could cause the compilation phase to be skipped and outdated data > be used to configure the system? >
Sounds like your shorewall.conf has AUTOMAKE=Yes. If so, the most likely cause of this problem is that you are using ?INCLUDE to include files that are not on the CONFIG_PATH. With AUTOMAKE=Yes, the CLI searches $CONFIG_PATH for files newer than /var/lib/shorewall/firewall; if none is found, the compilation step is skipped. Note that you can always force re-compilation by using the '-c' option to the start, restart and reload commands. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
