Hi, all! I have a very odd conundrum. I've recently updated a test server to Ubuntu Eoan (19.10). That server runs both docker containers and libvirt VMs. Everything was running smoothly in 19.04 (which is now unsupported). However, upon upgrade and full update to 19.10 shorewall now refuses to start cleanly on bootup. The error is:
Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or directory Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: /sbin/iptables-restore --wait 60 Failed. Turns out that doing a "shorewall restart" fails as well with the same error. Seems like a pretty obvious error, doesn't it? Well...not so fast! ☺ If I do two "shorewall debug restart" (note the use of *debug*) in quick succession, the first invocation will fail with the error, but the second one will succeed fully, and Shorewall will (apparently) operate properly from there on in. Perhaps the use of "debug" causes stored bad state somewhere to be wiped clean or ignored? On next bootup everything is broken again and I have to log in to manually fix things by running "shorewall debug start" TWICE. Naturally, this isn't a tenable situation. Here's the output (for restart) so you can see for yourselves: <BEGIN OUTPUT>root@testserver:~# uname -aLinux tvserver.rivera.prv 5.3.0-29-generic #31-Ubuntu SMP Fri Jan 17 17:27:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linuxroot@testserver:~# lsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 19.10Release: 19.10Codenam e: eoanroot@testserver:~# shorewall version5.2.3.2root@testserver:~# shorewall restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing /etc/shorewall/tcclear ...Preparing iptables-restore input...Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or directory Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: /sbin/iptables-restore --wait 60 Failed.IPv4 Forwarding EnabledProcessing /etc/shorewall/stopped ...done.Starting Shorewall....Initializing...Processing /etc/shorewall/init ...Processing /etc/shorewall/tcclear ...Setting up Route Filtering...Setting up Martian Logging...Setting up Proxy ARP...Preparing iptables-restore input...Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or directory Error occurred at line: 42Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-inputTerminatedroot@testserver:~# shorewall debug restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing /etc/shorewall/tcclear ...Preparing iptables-restore input...Running debug_restore_input...iptables v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or directory Try `iptables -h' or 'iptables --help' for more information. ERROR: Command "/sbin/iptables --wait -t nat -A POSTROUTING -j LIBVIRT_PRT" FailedTerminatedroot@testserver:~# shorewall debug restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing /etc/shorewall/tcclear ...Preparing iptables-restore input...Running debug_restore_input...IPv4 Forwarding EnabledProcessing /etc/shorewall/stopped ...done.Starting Shorewall....Initializing...Processing /etc/shorewall/init ...Processing /etc/shorewall/tcclear ...Setting up Route Filtering...Setting up Martian Logging...Setting up Proxy ARP...Preparing iptables-restore input...Running debug_restore_input...IPv4 Forwarding EnabledProcessing /etc/shorewall/start ...Processing /etc/shorewall/started ...done.root@testserver:~# <END OUTPUT> I read somewhere that at some point shorewall needed to be re-started after libvirtd had started up, but in my setup shorewall always starts AFTER libvirtd (configured as such via systemd After= directive). Is there anything else I'm missing? I tried "shorewall restart -c" to try to force a from-scratch recompilation of all rules, but that didn't work either. Thanks! -- Diego Rivera
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
