Shorewall devel - Mar 2013 - Control of IPv6 router advertisements

hello all,
Let me start of by thanking Tom for a great product. I have been using
Shorewall for a long time now.

I have a small issue that is complicating my IPv6 setup: when Linux is
configured as router it does not by accept router advertisements when
forwarding is enabled. That can be enabled on more recent kernels by
setting /proc/sys/net/ipv6/conf/$INTERFACE/accept_ra to 2.

Tom, would it be possible to add an option in the interfaces that sets
the interface. Adding an option accept_ra=x would allow setting it. This
would be quite similar to setting the forwarding there. 
>From the kernel documentation:
accept_ra - INTEGER
Accept Router Advertisements; autoconfigure using them.


It also determines whether or not to transmit Router
Solicitations. If and only if the functional setting is to
accept Router Advertisements, Router Solicitations will be
transmitted.

Possible values are:
        0 Do not accept Router Advertisements.
        1 Accept Router Advertisements if forwarding is disabled.
        2 Overrule forwarding behaviour. Accept Router Advertisements
          even if forwarding is enabled.

Functional default: enabled if local forwarding is disabled
   disabled if local forwarding is enabled.

Judging by the purpose of the variable it might be appropriate to add it
as an option. It is somewhat similar to the forwarding option....
Thanks in advance for your feedback

Kind regards, Louis


------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

On 03/30/2013 02:55 PM, Louis Lagendijk wrote:
> hello all,
> Let me start of by thanking Tom for a great product. I have been using
> Shorewall for a long time now.
> 
> I have a small issue that is complicating my IPv6 setup: when Linux is
> configured as router it does not by accept router advertisements when
> forwarding is enabled. That can be enabled on more recent kernels by
> setting /proc/sys/net/ipv6/conf/$INTERFACE/accept_ra to 2.
> 
> Tom, would it be possible to add an option in the interfaces that sets
> the interface. Adding an option accept_ra=x would allow setting it. This
> would be quite similar to setting the forwarding there. 
> 
>>From the kernel documentation:
> accept_ra - INTEGER
> Accept Router Advertisements; autoconfigure using them.
> 
> 
> It also determines whether or not to transmit Router
> Solicitations. If and only if the functional setting is to
> accept Router Advertisements, Router Solicitations will be
> transmitted.
> 
> Possible values are:
>         0 Do not accept Router Advertisements.
>         1 Accept Router Advertisements if forwarding is disabled.
>         2 Overrule forwarding behaviour. Accept Router Advertisements
>           even if forwarding is enabled.
> 
> Functional default: enabled if local forwarding is disabled
>    disabled if local forwarding is enabled.
> 
> Judging by the purpose of the variable it might be appropriate to add it
> as an option. It is somewhat similar to the forwarding option....
> Thanks in advance for your feedback
> 
Hi Louis,

I will be happy to add it in 4.5.16.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel''s independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
> > It also determines whether or not to transmit Router
> > Solicitations. If and only if the functional setting is to
> > accept Router Advertisements, Router Solicitations will be
> > transmitted.
> > 
> > Possible values are:
> >         0 Do not accept Router Advertisements.
> >         1 Accept Router Advertisements if forwarding is disabled.
> >         2 Overrule forwarding behaviour. Accept Router Advertisements
> >           even if forwarding is enabled.
> > 
> > Functional default: enabled if local forwarding is disabled
> >    disabled if local forwarding is enabled.
> > 
> > Judging by the purpose of the variable it might be appropriate to add
it
> > as an option. It is somewhat similar to the forwarding option....
> > Thanks in advance for your feedback
> > 
hello Tom,
The accep_ra option work as expected.
I do have a problem with shorewall-init. With
PRODUCTS="shorewall"

#
# Set this to 1 if you want Shorewall-init to react to
# ifup/ifdown and NetworkManager events
#
IFUPDOWN=1
#
in  the config file, I get the following (after a long timeout):
[root@nest sbin]# ifdown eth0.160
lockfile: Sorry, giving up on "/var/lib/shorewall/lock"
Shorewall down triggered by eth0.160
Attempting disable on interface eth0.160
   ERROR: Interface eth0.160 is already disabled: Firewall state not
changed
/sbin/ifdown-local: line 189: 11977 Terminated
${VARDIR}/firewall -V0 $COMMAND $INTERFACE
/sbin/ifdown-local: line 198: echo_notdone: command not found
[root@nest sbin]#

(eth0.160 is one of my vlan interfaces). 

How can I debug the firewall script to see where it hangs? The tricky
part is that if I issue the firewall command manually, it kind of works
right away:
 Shorewall down triggered by eth0.160
Attempting disable on interface eth0.160
   ERROR: Interface eth0.160 is already disabled: Firewall state not
changed
Terminated
[root@nest sbin]# /var/lib/shorewall/firewall up eth0.160
   WARNING: Stale lockfile /var/lib/shorewall/lock from pid 13011
removed
Shorewall up triggered by eth0.160
Attempting enable on interface eth0.160
[root@nest sbin]# /var/lib/shorewall/firewall down eth0.160
Shorewall down triggered by eth0.160
Attempting disable on interface eth0.160
   ERROR: Interface eth0.160 is already disabled: Firewall state not
changed
Terminated

And the second question:
where is the echo_notdone supposed to be defined that is used in the
ifup/down local scripts supposed to be defined? (I am using CentOS6)

Thanks for your kind help
Kind regards, Louis




------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
> On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
> hello Tom,
> The accep_ra option work as expected.
> I do have a problem with shorewall-init. With
> PRODUCTS="shorewall"
> 
> And the second question:
> where is the echo_notdone supposed to be defined that is used in the
> ifup/down local scripts supposed to be defined? (I am using CentOS6)
> 
How did you install Shorewall-init?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thu, 2013-04-11 at 14:33 -0700, Tom Eastep wrote:
> On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
> > On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
> 
> > hello Tom,
> > The accep_ra option work as expected.
> > I do have a problem with shorewall-init. With
> > PRODUCTS="shorewall"
> 
> > 
> > And the second question:
> > where is the echo_notdone supposed to be defined that is used in the
> > ifup/down local scripts supposed to be defined? (I am using CentOS6)
> > 
> 
> How did you install Shorewall-init?
I used Simon Matters''s rpm, but rebuilt it with the 4.5.16 Beta 2
sources. I noticed the problem actually before when I used the EPEL
(4.5.4?) version I used before

Louis


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 02:45 PM, Louis Lagendijk wrote:
> On Thu, 2013-04-11 at 14:33 -0700, Tom Eastep wrote:
>> On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
>>> On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
>>
>>> hello Tom,
>>> The accep_ra option work as expected.
>>> I do have a problem with shorewall-init. With
>>> PRODUCTS="shorewall"
>>
>>>
>>> And the second question:
>>> where is the echo_notdone supposed to be defined that is used in
the
>>> ifup/down local scripts supposed to be defined? (I am using
CentOS6)
>>>
>>
>> How did you install Shorewall-init?
> I used Simon Matters''s rpm, but rebuilt it with the 4.5.16 Beta 2
> sources. I noticed the problem actually before when I used the EPEL
> (4.5.4?) version I used before
> 
Which Centos version?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 02:45 PM, Louis Lagendijk wrote:
> On Thu, 2013-04-11 at 14:33 -0700, Tom Eastep wrote:
>> On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
>>> On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
>>
>>> hello Tom,
>>> The accep_ra option work as expected.
>>> I do have a problem with shorewall-init. With
>>> PRODUCTS="shorewall"
>>
>>>
>>> And the second question:
>>> where is the echo_notdone supposed to be defined that is used in
the
>>> ifup/down local scripts supposed to be defined? (I am using
CentOS6)
>>>
>>
>> How did you install Shorewall-init?
> I used Simon Matters''s rpm, but rebuilt it with the 4.5.16 Beta 2
> sources. I noticed the problem actually before when I used the EPEL
> (4.5.4?) version I used before
There is no call to echo_notdone in the ifup/down scripts. In fact, on
my Fedora installation, there is no call to if_updown in any of the
installed shorewall-init components.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 02:57 PM, Tom Eastep wrote:
> On 04/11/2013 02:45 PM, Louis Lagendijk wrote:
>> On Thu, 2013-04-11 at 14:33 -0700, Tom Eastep wrote:
>>> On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
>>>> On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
>>>
>>>> hello Tom,
>>>> The accep_ra option work as expected.
>>>> I do have a problem with shorewall-init. With
>>>> PRODUCTS="shorewall"
>>>
>>>>
>>>> And the second question:
>>>> where is the echo_notdone supposed to be defined that is used
in the
>>>> ifup/down local scripts supposed to be defined? (I am using
CentOS6)
>>>>
>>>
>>> How did you install Shorewall-init?
>> I used Simon Matters''s rpm, but rebuilt it with the 4.5.16
Beta 2
>> sources. I noticed the problem actually before when I used the EPEL
>> (4.5.4?) version I used before
> 
> There is no call to echo_notdone in the ifup/down scripts. In fact, on
> my Fedora installation, there is no call to if_updown in any of the
> installed shorewall-init components.
Make that ...call to echo_notdone....

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thu, 2013-04-11 at 15:02 -0700, Tom Eastep wrote:
> On 04/11/2013 02:57 PM, Tom Eastep wrote:
> > On 04/11/2013 02:45 PM, Louis Lagendijk wrote:
> >> On Thu, 2013-04-11 at 14:33 -0700, Tom Eastep wrote:
> >>> On 04/11/2013 02:25 PM, Louis Lagendijk wrote:
> >>>> On Sat, 2013-03-30 at 15:00 -0700, Tom Eastep wrote:
> >>>
> >>>> hello Tom,
> >>>> The accep_ra option work as expected.
> >>>> I do have a problem with shorewall-init. With
> >>>> PRODUCTS="shorewall"
> >>>
> >>>>
> >>>> And the second question:
> >>>> where is the echo_notdone supposed to be defined that is
used in the
> >>>> ifup/down local scripts supposed to be defined? (I am
using CentOS6)
> >>>>
> >>>
> >>> How did you install Shorewall-init?
> >> I used Simon Matters''s rpm, but rebuilt it with the
4.5.16 Beta 2
> >> sources. I noticed the problem actually before when I used the
EPEL
> >> (4.5.4?) version I used before
> > 
> > There is no call to echo_notdone in the ifup/down scripts. In fact, on
> > my Fedora installation, there is no call to if_updown in any of the
> > installed shorewall-init components.
> 
> Make that ...call to echo_notdone....
My bad: even that rpm did not install the ifup-local / ifdown-local
scripts. I must have messed that up already with the epel (=fedora)
packages on the original install. I now copied the new versions and the
network restart works (but apparently still does not reset the firewall
as a shorewall restart fixes it again, but that is for tomorrow).
Thanks for the hints Tom! Your very quick respinses are much appreciated

Kind regards, Louis


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

hello Tom,
After playing with shorewall-init a bit more, I have some more issues:

1) shorewall6: accept_ra does not get restored when the network is
restarted. A shorewall restart fixes that. I would have expected
ifup-local to perform the same settings as a shorewall restart does. Am
I missing something? 
I hve traced the problem to interface_is_usable() in the firewall script: 
it uses find_first_interface_address_if_any() that returns no address 
assigned yet as it needs a router advertisement to do so. All 
interfaces on my machine have that problem as I am using the wide 
dhcpv6 client to retrieve a prefix delegation from the modem on the 
interface that has accept_ra set. Would it be possible to remove 
the test for the interface address? 
Again, a shorewall restart works ok.

2) shorewall: I have net.ipv4.ip_forward = 0
 in sysctl.conf. Shorewall-init does not set the forwarding per interface as
shorewall restart does. Do you have any idea what might cause this?

Is this another mistake in my configurration like yes goofup I had yesterday?

Kind regards, Louis




------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/12/13 2:22 PM, "Louis Lagendijk" <louis@fazant.net> wrote:
>
>hello Tom,
>After playing with shorewall-init a bit more, I have some more issues:
>
>1) shorewall6: accept_ra does not get restored when the network is
>restarted. A shorewall restart fixes that. I would have expected
>ifup-local to perform the same settings as a shorewall restart does. Am
>I missing something?
>I hve traced the problem to interface_is_usable() in the firewall script:
>it uses find_first_interface_address_if_any() that returns no address
>assigned yet as it needs a router advertisement to do so. All
>interfaces on my machine have that problem as I am using the wide
>dhcpv6 client to retrieve a prefix delegation from the modem on the
>interface that has accept_ra set. Would it be possible to remove
>the test for the interface address?
That same code gets executed during start/restart. Look at the function
detect_configuration() in the generated firewall script; that gets called
for start/restart and for enable. So I don''t believe that is the root
cause of your problem.
> 
>Again, a shorewall restart works ok.
>
>2) shorewall: I have net.ipv4.ip_forward = 0
> in sysctl.conf. Shorewall-init does not set the forwarding per interface
>as
>shorewall restart does. Do you have any idea what might cause this?
>
>Is this another mistake in my configurration like yes goofup I had
>yesterday?
Shorewall (ipv4) does not set the per-interface forwarding flag in any
command.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote:
> On 4/12/13 2:22 PM, "Louis Lagendijk" <louis@fazant.net>
wrote:
> 
> >
> >hello Tom,
> >After playing with shorewall-init a bit more, I have some more issues:
> >
> >1) shorewall6: accept_ra does not get restored when the network is
> >restarted. A shorewall restart fixes that. I would have expected
> >ifup-local to perform the same settings as a shorewall restart does. Am
> >I missing something?
> >I hve traced the problem to interface_is_usable() in the firewall
script:
> >it uses find_first_interface_address_if_any() that returns no address
> >assigned yet as it needs a router advertisement to do so. All
> >interfaces on my machine have that problem as I am using the wide
> >dhcpv6 client to retrieve a prefix delegation from the modem on the
> >interface that has accept_ra set. Would it be possible to remove
> >the test for the interface address?
> 
> That same code gets executed during start/restart. Look at the function
> detect_configuration() in the generated firewall script; that gets called
> for start/restart and for enable. So I don''t believe that is the
root
> cause of your problem.
Thanks for the pointer Tom. What happens at a shorewall start (for
firewall start) is that define_firewall gets called that sets the
forwarding and accept_ra unconditionally. Function define_firewall() get
called at an "up" event ONLY when the firewall was not started before
(from updown() ).  In case of an "up" event when the firewall is
started, we then check for a non-link local address being defined (which
is not the case) and we skip the setting of the forward and accept_ra
proc/sys variables.... I am not sure what to suggest, but there is some
inconsistency here that does cause forwarding and accept_ra not to be
set in case of an "up" event (if the firewall is not started before)
and
just (re)starting the firewall.

Another question that is just about consistency but does not affect
operation: what is the reason that accept_ra is set from
setup_common_rules() while forwarding is set from the body of
define_firewall()? Just curious....

Thanks for you kind help
Louis



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/15/2013 10:47 AM, Louis Lagendijk wrote:
> On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote:
>> On 4/12/13 2:22 PM, "Louis Lagendijk"
<louis@fazant.net> wrote:
>>
>>>
>>> hello Tom,
>>> After playing with shorewall-init a bit more, I have some more
issues:
>>>
>>> 1) shorewall6: accept_ra does not get restored when the network is
>>> restarted. A shorewall restart fixes that. I would have expected
>>> ifup-local to perform the same settings as a shorewall restart
does. Am
>>> I missing something?
>>> I hve traced the problem to interface_is_usable() in the firewall
script:
>>> it uses find_first_interface_address_if_any() that returns no
address
>>> assigned yet as it needs a router advertisement to do so. All
>>> interfaces on my machine have that problem as I am using the wide
>>> dhcpv6 client to retrieve a prefix delegation from the modem on the
>>> interface that has accept_ra set. Would it be possible to remove
>>> the test for the interface address?
>>
>> That same code gets executed during start/restart. Look at the function
>> detect_configuration() in the generated firewall script; that gets
called
>> for start/restart and for enable. So I don''t believe that is
the root
>> cause of your problem.
> 
> Thanks for the pointer Tom. What happens at a shorewall start (for
> firewall start) is that define_firewall gets called that sets the
> forwarding and accept_ra unconditionally. Function define_firewall() get
> called at an "up" event ONLY when the firewall was not started
before
> (from updown() ).  In case of an "up" event when the firewall is
> started, we then check for a non-link local address being defined (which
> is not the case) and we skip the setting of the forward and accept_ra
> proc/sys variables.... I am not sure what to suggest, but there is some
> inconsistency here that does cause forwarding and accept_ra not to be
> set in case of an "up" event (if the firewall is not started
before) and
> just (re)starting the firewall.
Are you using entries in /etc/shorewall6/providers or are you just
defining these interfaces to be ''optional'' in
/etc/shorewall6/interfaces?
> 
> Another question that is just about consistency but does not affect
> operation: what is the reason that accept_ra is set from
> setup_common_rules() while forwarding is set from the body of
> define_firewall()? Just curious....
They are handled in different functions for historical reasons and the
two functions are called at different points in the start flow.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Mon, 2013-04-15 at 11:04 -0700, Tom Eastep wrote:
> On 04/15/2013 10:47 AM, Louis Lagendijk wrote:
> > On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote:
> >> On 4/12/13 2:22 PM, "Louis Lagendijk"
<louis@fazant.net> wrote:
> >>
> >>>
> >>> hello Tom,
> >>> After playing with shorewall-init a bit more, I have some more
issues:
> >>>
> >>> 1) shorewall6: accept_ra does not get restored when the
network is
> >>> restarted. A shorewall restart fixes that. I would have
expected
> >>> ifup-local to perform the same settings as a shorewall restart
does. Am
> >>> I missing something?
> >>> I hve traced the problem to interface_is_usable() in the
firewall script:
> >>> it uses find_first_interface_address_if_any() that returns no
address
> >>> assigned yet as it needs a router advertisement to do so. All
> >>> interfaces on my machine have that problem as I am using the
wide
> >>> dhcpv6 client to retrieve a prefix delegation from the modem
on the
> >>> interface that has accept_ra set. Would it be possible to
remove
> >>> the test for the interface address?
> >>
> >> That same code gets executed during start/restart. Look at the
function
> >> detect_configuration() in the generated firewall script; that gets
called
> >> for start/restart and for enable. So I don''t believe that
is the root
> >> cause of your problem.
> > 
> > Thanks for the pointer Tom. What happens at a shorewall start (for
> > firewall start) is that define_firewall gets called that sets the
> > forwarding and accept_ra unconditionally. Function define_firewall()
get
> > called at an "up" event ONLY when the firewall was not
started before
> > (from updown() ).  In case of an "up" event when the
firewall is
> > started, we then check for a non-link local address being defined
(which
> > is not the case) and we skip the setting of the forward and accept_ra
> > proc/sys variables.... I am not sure what to suggest, but there is
some
> > inconsistency here that does cause forwarding and accept_ra not to be
> > set in case of an "up" event (if the firewall is not started
before) and
> > just (re)starting the firewall.
> 
> Are you using entries in /etc/shorewall6/providers or are you just
> defining these interfaces to be ''optional'' in
/etc/shorewall6/interfaces?
> 
I am using /etc/shorewall/interfaces, as I have only one provider: my
ISP via my VDSL modem that does prefix delegation and route
advertizements.
What I have is a faily simple setup

Thanks for your (as usally) amzaingly fast response. 
Kind regards, Louis


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/15/2013 11:11 AM, Louis Lagendijk wrote:
> On Mon, 2013-04-15 at 11:04 -0700, Tom Eastep wrote:
>> On 04/15/2013 10:47 AM, Louis Lagendijk wrote:
>>> On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote:
>>>> On 4/12/13 2:22 PM, "Louis Lagendijk"
<louis@fazant.net> wrote:
>>>>
>>>>>
>>>>> hello Tom,
>>>>> After playing with shorewall-init a bit more, I have some
more issues:
>>>>>
>>>>> 1) shorewall6: accept_ra does not get restored when the
network is
>>>>> restarted. A shorewall restart fixes that. I would have
expected
>>>>> ifup-local to perform the same settings as a shorewall
restart does. Am
>>>>> I missing something?
>>>>> I hve traced the problem to interface_is_usable() in the
firewall script:
>>>>> it uses find_first_interface_address_if_any() that returns
no address
>>>>> assigned yet as it needs a router advertisement to do so.
All
>>>>> interfaces on my machine have that problem as I am using
the wide
>>>>> dhcpv6 client to retrieve a prefix delegation from the
modem on the
>>>>> interface that has accept_ra set. Would it be possible to
remove
>>>>> the test for the interface address?
>>>>
>>>> That same code gets executed during start/restart. Look at the
function
>>>> detect_configuration() in the generated firewall script; that
gets called
>>>> for start/restart and for enable. So I don''t believe
that is the root
>>>> cause of your problem.
>>>
>>> Thanks for the pointer Tom. What happens at a shorewall start (for
>>> firewall start) is that define_firewall gets called that sets the
>>> forwarding and accept_ra unconditionally. Function
define_firewall() get
>>> called at an "up" event ONLY when the firewall was not
started before
>>> (from updown() ).  In case of an "up" event when the
firewall is
>>> started, we then check for a non-link local address being defined
(which
>>> is not the case) and we skip the setting of the forward and
accept_ra
>>> proc/sys variables.... I am not sure what to suggest, but there is
some
>>> inconsistency here that does cause forwarding and accept_ra not to
be
>>> set in case of an "up" event (if the firewall is not
started before) and
>>> just (re)starting the firewall.
>>
>> Are you using entries in /etc/shorewall6/providers or are you just
>> defining these interfaces to be ''optional'' in
/etc/shorewall6/interfaces?
>>
> I am using /etc/shorewall/interfaces, as I have only one provider: my
> ISP via my VDSL modem that does prefix delegation and route
> advertizements.
> What I have is a faily simple setup
> 
But you need to define the interfaces as ''optional''?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Mon, 2013-04-15 at 11:39 -0700, Tom Eastep wrote:
> On 04/15/2013 11:11 AM, Louis Lagendijk wrote:
> > On Mon, 2013-04-15 at 11:04 -0700, Tom Eastep wrote:
> >> On 04/15/2013 10:47 AM, Louis Lagendijk wrote:
> >>> On Sat, 2013-04-13 at 07:05 -0700, Tom Eastep wrote:
> >>>> On 4/12/13 2:22 PM, "Louis Lagendijk"
<louis@fazant.net> wrote:
> >>>>
> >>>>>
> >>>>> hello Tom,
> >>>>> After playing with shorewall-init a bit more, I have
some more issues:
> >>>>>
> >>>>> 1) shorewall6: accept_ra does not get restored when
the network is
> >>>>> restarted. A shorewall restart fixes that. I would
have expected
> >>>>> ifup-local to perform the same settings as a shorewall
restart does. Am
> >>>>> I missing something?
> >>>>> I hve traced the problem to interface_is_usable() in
the firewall script:
> >>>>> it uses find_first_interface_address_if_any() that
returns no address
> >>>>> assigned yet as it needs a router advertisement to do
so. All
> >>>>> interfaces on my machine have that problem as I am
using the wide
> >>>>> dhcpv6 client to retrieve a prefix delegation from the
modem on the
> >>>>> interface that has accept_ra set. Would it be possible
to remove
> >>>>> the test for the interface address?
> >>>>
> >>>> That same code gets executed during start/restart. Look at
the function
> >>>> detect_configuration() in the generated firewall script;
that gets called
> >>>> for start/restart and for enable. So I don''t
believe that is the root
> >>>> cause of your problem.
> >>>
> >>> Thanks for the pointer Tom. What happens at a shorewall start
(for
> >>> firewall start) is that define_firewall gets called that sets
the
> >>> forwarding and accept_ra unconditionally. Function
define_firewall() get
> >>> called at an "up" event ONLY when the firewall was
not started before
> >>> (from updown() ).  In case of an "up" event when the
firewall is
> >>> started, we then check for a non-link local address being
defined (which
> >>> is not the case) and we skip the setting of the forward and
accept_ra
> >>> proc/sys variables.... I am not sure what to suggest, but
there is some
> >>> inconsistency here that does cause forwarding and accept_ra
not to be
> >>> set in case of an "up" event (if the firewall is not
started before) and
> >>> just (re)starting the firewall.
> >>
> >> Are you using entries in /etc/shorewall6/providers or are you just
> >> defining these interfaces to be ''optional'' in
/etc/shorewall6/interfaces?
> >>
> > I am using /etc/shorewall/interfaces, as I have only one provider: my
> > ISP via my VDSL modem that does prefix delegation and route
> > advertizements.
> > What I have is a faily simple setup
> > 
> 
> But you need to define the interfaces as ''optional''?
Ah, removing the optional does the trick:
interfaces that have accept_ra set shall not be marked optional nor
required (the latter causes problems starting the firewall at all). 

Thanks for the help Tom!

Kind regards, Louis


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter