# shorewall version 4.4.27 We used to put ''echo'' statement in the params file, which worked fine, but now including this in params: echo "Build ipset of blacklisted addresses" ...gives this on a ''shorewall restart'': [trimmed] Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.restart printf: 214: Build: expected numeric value printf: 214: ipset: expected numeric value printf: 214: of: expected numeric value Processing /etc/shorewall/params ... Build ipset of blacklisted addresses Usage: /var/lib/shorewall/.restart [ options ] <command> <command> is one of: start stop clear disable <interface> down <interface> enable <interface> reset refresh restart status up <interface> version Options are: -v and -q Standard Shorewall verbosity controls -n Don''t unpdate routing configuration -p Purge Conntrack Table -t Timestamp progress Messages -V <verbosity> Set verbosity explicitly -R <file> Override RESTOREFILE setting # This worked with version 4.4.9 but fails with 4.4.11.6 and the latest Debian version, 4.4.27. -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Fri, 2012-01-06 at 17:42 +0000, Keith Edmunds wrote:> # shorewall version > 4.4.27 > > We used to put ''echo'' statement in the params file, which worked fine, but > now including this in params: > > echo "Build ipset of blacklisted addresses"root@gateway:~# cat /etc/shorewall/params echo "Building ipset of blacklisted addresses" MIRRORS=62.216.169.37,\ 62.216.184.18,\ ... root@gateway:~# shorewall restart Building ipset of blacklisted addresses <======================Compiling... Processing /etc/shorewall/params ... Building ipset of blacklisted addresses <========================Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
Thanks Tom, but I''m not sure what point you are making. Certainly the params file gets processed twice, but that isn''t the problem. -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Jan 6, 2012, at 11:45 AM, Keith Edmunds <kae@midnighthax.com> wrote:> Thanks Tom, but I''m not sure what point you are making. Certainly the > params file gets processed twice, but that isn''t the problem.My point is that it works for me so I can''t give any more help based on what little you have told us. Tom ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Fri, 2012-01-06 at 13:19 -0800, Tom Eastep wrote:> On Jan 6, 2012, at 11:45 AM, Keith Edmunds <kae@midnighthax.com> wrote: > > > Thanks Tom, but I''m not sure what point you are making. Certainly the > > params file gets processed twice, but that isn''t the problem. > > My point is that it works for me so I can''t give any more help based on what little you have told us.Have you tried setting the deprecated EXPORT_PARAMS variable to No in shorewall.conf? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Fri, 2012-01-06 at 15:38 -0800, Tom Eastep wrote:> On Fri, 2012-01-06 at 13:19 -0800, Tom Eastep wrote: > > On Jan 6, 2012, at 11:45 AM, Keith Edmunds <kae@midnighthax.com> wrote: > > > > > Thanks Tom, but I''m not sure what point you are making. Certainly the > > > params file gets processed twice, but that isn''t the problem. > > > > My point is that it works for me so I can''t give any more help based on what little you have told us. > > Have you tried setting the deprecated EXPORT_PARAMS variable to No in > shorewall.conf?Make that EXPORTPARAMS. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> My point is that it works for me so I can''t give any more help based on > what little you have told us.Below is from Shorewall 4.4.11.6 An almost empty params file: # cat params ############################################################################## echo "This is params" #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE # shorewall.conf: # grep -i params shorewall.conf EXPORTPARAMS=Yes # A ''shorewall restart'': # shorewall restart This is params Compiling... This is params Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Preprocessing Action Files... Compiling ... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Compiling /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling /etc/shorewall/masq... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/tunnels... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Processing /usr/share/shorewall/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Compiling iptables-restore input for chain mangle:... Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.restart printf: 4: This: expected numeric value printf: 4: is: expected numeric value printf: 4: params: expected numeric value Processing /etc/shorewall/params ... This is params Usage: /var/lib/shorewall/.restart [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ] Options are: -v and -q Standard Shorewall verbosity controls -n Don''t unpdate routing configuration -p Purge Conntrack Table -t Timestamp progress Messages -V <verbosity> Set verbosity explicitly -R <file> Override RESTOREFILE setting # I''ll happily give you more information: what do you need? Thanks, Keith -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Sat, 2012-01-07 at 09:34 +0000, Keith Edmunds wrote:> > My point is that it works for me so I can''t give any more help based on > > what little you have told us. > > Below is from Shorewall 4.4.11.6I thought that your initial post indicated that you were running 4.4.27-1.> > An almost empty params file: > > # cat params > ############################################################################## > echo "This is params" > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > # > > shorewall.conf: > > # grep -i params shorewall.conf > EXPORTPARAMS=Yes > # > > A ''shorewall restart'': > > # shorewall restart > This is params > Compiling... > This is params > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Preprocessing Action Files... > Compiling ... > Pre-processing /usr/share/shorewall/action.Drop... > Pre-processing /usr/share/shorewall/action.Reject... > Compiling /etc/shorewall/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling /etc/shorewall/masq... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/tunnels... > Generating Transitive Closure of Used-action List... > Processing /usr/share/shorewall/action.Reject for chain Reject... > Processing /usr/share/shorewall/action.Drop for chain Drop... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Generating Rule Matrix... > Creating iptables-restore input... > Compiling iptables-restore input for chain mangle:... > Compiling /etc/shorewall/routestopped... > Shorewall configuration compiled to /var/lib/shorewall/.restart > printf: 4: This: expected numeric value > printf: 4: is: expected numeric value > printf: 4: params: expected numeric value > Processing /etc/shorewall/params ... > This is params > Usage: /var/lib/shorewall/.restart [ options ]After this happens, please: sh -x /var/lib/shorewall/.restart restart 2> trace And look at the trace to see what is going wrong. If you can''t see the problem, then please send me a copy of /var/lib/shorewall/.restart and the trace file and I will take a look. Again, do you *really* need EXPORTPARAMS=Yes? If not, turning it off will eliminate this issue. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Sat, 2012-01-07 at 07:33 -0800, Tom Eastep wrote:> > After this happens, please: > > sh -x /var/lib/shorewall/.restart restart 2> trace > > And look at the trace to see what is going wrong. If you can''t see the > problem, then please send me a copy of /var/lib/shorewall/.restart and > the trace file and I will take a look.Never mind -- I have reproduced the problem. While harmless, it is annoying and I''ll have to try to decide how to fix it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Sat, 2012-01-07 at 07:44 -0800, Tom Eastep wrote:> On Sat, 2012-01-07 at 07:33 -0800, Tom Eastep wrote: > > > > > After this happens, please: > > > > sh -x /var/lib/shorewall/.restart restart 2> trace > > > > And look at the trace to see what is going wrong. If you can''t see the > > problem, then please send me a copy of /var/lib/shorewall/.restart and > > the trace file and I will take a look. > > Never mind -- I have reproduced the problem. While harmless, it is > annoying and I''ll have to try to decide how to fix it.Here is a patch for lib.common. patch /usr/share/shorewall/lib.common < ~/ECHO.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> Here is a patch for lib.common.Thanks Tom. You sounded pretty pissed off over this issue: I''m sorry if I caused you to feel that way. I have great respect for Shorewall and your support of it: thank you for all your efforts in producing, maintaining and supporting it. Keith Edmunds -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Jan 7, 2012, at 12:05 PM, Keith Edmunds wrote:>> Here is a patch for lib.common. > > Thanks Tom. > > You sounded pretty pissed off over this issue: I''m sorry if I caused you > to feel that way. I have great respect for Shorewall and your support of > it: thank you for all your efforts in producing, maintaining and > supporting it. >Thanks, Keith. Please accept my apology for being short with you. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox