On 8/25/19 10:56 AM, Dominic Hargreaves wrote: > On Sun, Aug 25, 2019 at 10:04:34AM -0700, Tom Eastep wrote: >> On 8/25/19 9:11 AM, Dominic Hargreaves wrote: >>> Hi there, >>> >>> I'm porting an existing configuration (managed by ansible, not that I >>> believe that to be relevant) to Debian buster. I'm seeing a strange >>> behaviour where most of the time, rules are simply not updated after >>> a reload or restart. I noticed that when this happens, the file >>> /var/lib/shorewall/firewall is not updated - it maintains the mtime of >>> the last run that did manage to change things. It's also noticable >>> that the compile stage is not running, particularly the absence of >>> messages when running with -vv. >>> >>> Meanwhile, the mtime of /var/lib/shorewall/.iptables-restore-input >>> does change, but it's referring to out of date data - that from >>> /var/lib/shorewall/firewall, presumably. >>> >>> Removing /var/lib/shorewall/firewall forces recompilation to happen >>> and the correct rules to be deployed. >>> >>> /etc/shorewall/shorewall.conf is the packaged default and hasn't been >>> changed. I'm starting shorewall with systemd, but the same thing happens >>> when running manually or via ansible. >>> >>> What could cause the compilation phase to be skipped and outdated data >>> be used to configure the system? >>> >> >> Sounds like your shorewall.conf has AUTOMAKE=Yes. If so, the most likely >> cause of this problem is that you are using ?INCLUDE to include files >> that are not on the CONFIG_PATH. With AUTOMAKE=Yes, the CLI searches >> $CONFIG_PATH for files newer than /var/lib/shorewall/firewall; if none >> is found, the compilation step is skipped. >> >> Note that you can always force re-compilation by using the '-c' option >> to the start, restart and reload commands. > > Aha, thanks! Yes, I'm using shell includes, so I've switched to > AUTOMAKE=recursive. That has fixed the problem. > > Given that AUTOMAKE is documented as defaulting to No, it looks like > it might be a bug in the Debian package that it's been set to Yes. > I'll follow up with a bug report to track that. >
It is documented as defaulting to No if it is not specified or if the right side of the assignment is empty. The sample files released in Shorewall 5.2.* all include AUTOMAKE=Yes. If there is a defect here, it is that if AUTOMAKE is empty or not set and an 'update' command is issued, the new shorewall[6].conf file will have AUTOMAKE=Yes; is is arguable that it should contain AUTOMAKE=No so as to retain the pre-update behavior. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
