Shorewall devel - Jan 2008 - Minimising intrusiveness of restarting shorewall

While recent versions have minimised the network downtime that occurs
during a restart of shorewall (to a handful of seconds), there''s still
a problem here: if I make a minor addition to the rules file,
shorewall clears out all the rules and reinserts them. Notably, it
wipes and reloads the nat table, which tends to dump all current
natted connections. My SIP users really hate this because it
terminates their calls every time somebody wants a new outbound hole
poking in the firewall.

The solution seems fairly simple: run ''iptables-save -t foo''
first for
each table, cmp the output against what is due to be inserted, and
skip the whole table if it''s unchanged. But I haven''t thought
about it
very carefully, so I may be missing something.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> While recent versions have minimised the network downtime that occurs
> during a restart of shorewall (to a handful of seconds), there''s
still
> a problem here: if I make a minor addition to the rules file,
> shorewall clears out all the rules and reinserts them. Notably, it
> wipes and reloads the nat table, which tends to dump all current
> natted connections.
Something else is going on in your case -- deleting and re-adding the 
NAT rules has no effect on existing connections.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Jan 31, 2008 at 10:31:08AM -0800, Tom Eastep
wrote:
> Andrew Suffield wrote:
>> While recent versions have minimised the network downtime that occurs
>> during a restart of shorewall (to a handful of seconds),
there''s still
>> a problem here: if I make a minor addition to the rules file,
>> shorewall clears out all the rules and reinserts them. Notably, it
>> wipes and reloads the nat table, which tends to dump all current
>> natted connections.
>
> Something else is going on in your case -- deleting and re-adding the  
> NAT rules has no effect on existing connections.
I''m not completely sure, but I believe that a packet passing through
while the rules are removed is the trigger - it makes netfilter toss
the conntrack entry, which can''t then be reestablished because it
doesn''t know the port mapping any more.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> 
> I''m not completely sure, but I believe that a packet passing
through
> while the rules are removed is the trigger - it makes netfilter toss
> the conntrack entry, which can''t then be reestablished because it
> doesn''t know the port mapping any more.
It may create new conntrack entries but it doesn''t affect existing
ones.

Only packets in the NEW state go through the nat table. Packets that are 
part of an existing connection continue to flow.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Jan 31, 2008 at 01:33:17PM -0800, Tom Eastep
wrote:
> Andrew Suffield wrote:
>
>>
>> I''m not completely sure, but I believe that a packet passing
through
>> while the rules are removed is the trigger - it makes netfilter toss
>> the conntrack entry, which can''t then be reestablished because
it
>> doesn''t know the port mapping any more.
>
> It may create new conntrack entries but it doesn''t affect existing
ones.
>
> Only packets in the NEW state go through the nat table. Packets that are  
> part of an existing connection continue to flow.
Duh. I knew that, but had forgotten for some reason. I''ll investigate
further, *something* is wiping out the conntrack table for me.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> 
> Duh. I knew that, but had forgotten for some reason. I''ll
investigate
> further, *something* is wiping out the conntrack table for me.
> 
Is this a multi-ISP configuration?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Jan 31, 2008 at 05:30:43PM -0800, Tom Eastep
wrote:
> Andrew Suffield wrote:
>
>>
>> Duh. I knew that, but had forgotten for some reason. I''ll
investigate
>> further, *something* is wiping out the conntrack table for me.
>>
>
> Is this a multi-ISP configuration?
No, just filtering and nat, nothing special. It is rather complex,
though, and it''s always possible that I''ve done something
stupid and
just never noticed before.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> No, just filtering and nat, nothing special. It is rather complex,
> though, and it''s always possible that I''ve done something
stupid and
> just never noticed before.
Is this snat or static nat? By default shorewall removes static nat
external ip''s from system add add them again on restart. That might
cause conntrack entries to vanish.

- --
Tuomo Soini <tis@foobar.fi>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHowoeTlrZKzwul1ERAkVfAKCzv+urRDWrzaVvxNHZRmLXlcV6DACeKVMN
i5HsvH5e/8o6dZKtXr0GgNc=SEvi
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tuomo Soini wrote:
>> No, just filtering and nat, nothing special. It is rather complex,
>> though, and it''s always possible that I''ve done
something stupid and
>> just never noticed before.
> 
> Is this snat or static nat? By default shorewall removes static nat
> external ip''s from system add add them again on restart. That
might
> cause conntrack entries to vanish.
This is true if:

a) ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes
b) An address being used by the connection is added by one of these options.
c) RETAIN_ALIASES=No

If ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes, it is a good idea to set 
RETAIN_ALIASES=Yes to avoid this problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/