On Sun, Aug 25, 2019 at 10:04:34AM -0700, Tom Eastep wrote: > On 8/25/19 9:11 AM, Dominic Hargreaves wrote: > > Hi there, > > > > I'm porting an existing configuration (managed by ansible, not that I > > believe that to be relevant) to Debian buster. I'm seeing a strange > > behaviour where most of the time, rules are simply not updated after > > a reload or restart. I noticed that when this happens, the file > > /var/lib/shorewall/firewall is not updated - it maintains the mtime of > > the last run that did manage to change things. It's also noticable > > that the compile stage is not running, particularly the absence of > > messages when running with -vv. > > > > Meanwhile, the mtime of /var/lib/shorewall/.iptables-restore-input > > does change, but it's referring to out of date data - that from > > /var/lib/shorewall/firewall, presumably. > > > > Removing /var/lib/shorewall/firewall forces recompilation to happen > > and the correct rules to be deployed. > > > > /etc/shorewall/shorewall.conf is the packaged default and hasn't been > > changed. I'm starting shorewall with systemd, but the same thing happens > > when running manually or via ansible. > > > > What could cause the compilation phase to be skipped and outdated data > > be used to configure the system? > > > > Sounds like your shorewall.conf has AUTOMAKE=Yes. If so, the most likely > cause of this problem is that you are using ?INCLUDE to include files > that are not on the CONFIG_PATH. With AUTOMAKE=Yes, the CLI searches > $CONFIG_PATH for files newer than /var/lib/shorewall/firewall; if none > is found, the compilation step is skipped. > > Note that you can always force re-compilation by using the '-c' option > to the start, restart and reload commands.
Aha, thanks! Yes, I'm using shell includes, so I've switched to AUTOMAKE=recursive. That has fixed the problem. Given that AUTOMAKE is documented as defaulting to No, it looks like it might be a bug in the Debian package that it's been set to Yes. I'll follow up with a bug report to track that. Best, Dominic. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
