I''m trying to get shorewall-lite 3.2.6 working on my openwrt (building
an ipk for it) and the package is built and now I am just trying to work
my way through http://www.shorewall.net/CompiledPrograms.html#Lite.
I''m
at the "getting capabilities stage", and I understand that since I am
running > 3.2.5 I don''t actually need to run shorecap myself, but
just
to sanity test my openwrt port I thought I would try it. My results
were disappointing:
# Shorewall 3.2.6 detected the following iptables/netfilter capabilities - Sat
Apr 7 10:30:35 EDT 2007
#
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
MULTIPORT=Yes
XMULTIPORT=Yes
CONNTRACK_MATCHUSEPKTTYPEPOLICY_MATCHPHYSDEV_MATCHLENGTH_MATCHIPRANGE_MATCHRECENT_MATCHOWNER_MATCHIPSET_MATCHCONNMARKXCONNMARKCONNMARK_MATCHXCONNMARK_MATCHRAW_TABLEIPP2P_MATCHCLASSIFY_TARGETENHANCED_REJECT=Yes
KLUDGEFREEMARK=Yes
XMARKMANGLE_FORWARD=Yes
But since I know I have better than that installed I started to dig in
to shorecap and saw that it''s doing:
load_kernel_modules() ->
. /usr/share/shorewall-lite/modules ->
loadmodule [ for a huge list of modules ]
and loadmodule is:
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
if ! list_search $modulename $MODULES ; then
shift
for suffix in $MODULE_SUFFIX ; do
for directory in $moduledirectories; do
modulefile=$directory/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
break 2
fi
done
done
fi
}
So if the module is not already loaded (in $MODULES), then for any of of
the module extensions in $MODULE_SUFFIX, try to find and load a module.
However I cannot see how $MODULE_SUFFIX gets initialized in shorecap''s
call stack. It appears that do_initialize() is supposed to do that, but
do_initialize() does not appear to get called in the codepath that
shorecap runs. In fact I can''t find anywhere in the entire
shorewall-lite package that calls it.
Since $MODULE_SUFFIX doesn''t get initialized to anything, loadmodule()
is for all intents and purposes a NOOP.
What am I missing?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Brian J. Murrell wrote:> > So if the module is not already loaded (in $MODULES), then for any of of > the module extensions in $MODULE_SUFFIX, try to find and load a module. > > However I cannot see how $MODULE_SUFFIX gets initialized in shorecap''s > call stack. It appears that do_initialize() is supposed to do that, but > do_initialize() does not appear to get called in the codepath that > shorecap runs. In fact I can''t find anywhere in the entire > shorewall-lite package that calls it. > > Since $MODULE_SUFFIX doesn''t get initialized to anything, loadmodule() > is for all intents and purposes a NOOP. > > What am I missing?Nothing -- it''s clearly a bug. Attached please find: patch-3.2.9-9.diff -- patch to Shorewall patch-3.2.9-10.diff -- patch to Shorewall-lite Note that these are against 3.2.9 -- the Shorewall patch doesn''t apply cleanly to 3.2.6 but the Shorewall-lite patch does. Please give it a try. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>I''m trying to get shorewall-lite 3.2.6 working on my openwrt (building >an ipk for it) and the package is built and now I am just trying to >work >my way through http://www.shorewall.net/CompiledPrograms.html#Lite.Brian, I just killed my OpenWRT router this morning and am looking at re-building everything from scratch. Is there any chance you could post your .ipkg of shorewall when you''re done? I have really been wanting to upgrade to Shorewall lite for some time (for space constraints) but have been reluctant because everything was working fine under 3.05. However, now that I''ve broken everything, it is a good time to restart. Thanks, Russel ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, 2007-11-04 at 12:00 -0600, Russel wrote:> > Brian, > I just killed my OpenWRT router this morning and am looking at > re-building everything from scratch. Is there any chance you could post > your .ipkg of shorewallIt''s shorewall-lite, not shorewall.> when you''re done? I have really been wanting to > upgrade to Shorewall lite for some time (for space constraints) but have > been reluctant because everything was working fine under 3.05. However, > now that I''ve broken everything, it is a good time to restart.IIRC, there is a bit of hackery in my shorewall (proper) to support this too. I just don''t recall what it is. :-/ Maybe it''s just the lack of per-target MODULESDIR support in 3.2.6. In any case, the URL for the ipkg is http://brian.interlinx.bc.ca/shorewall-lite_3.2.6-5_mipsel.ipk Cheers, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>> Brian, >> I just killed my OpenWRT router this morning and am looking at >> re-building everything from scratch. Is there any chance you could post >> your .ipkg of shorewall > >It''s shorewall-lite, not shorewall.I actually wanted shorewall-lite, but just went for a bit of a shortcut with my typing ;)>IIRC, there is a bit of hackery in my shorewall (proper) to support this >too. I just don''t recall what it is. :-/ > >Maybe it''s just the lack of per-target MODULESDIR support in 3.2.6.I''ll see what I can do to get it to work. I have already re-built with 3.0.5, but I would love to transition to shorewall-lite. I may just see if I can build an ipkg of the latest stable release. It would be a good experience.>In any case, the URL for the ipkg is >http://brian.interlinx.bc.ca/shorewall-lite_3.2.6-5_mipsel.ipk>Cheers, >b.Thanks! -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.4.0/762 - Release Date: 4/15/2007 4:22 PM ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/