I''ve decided to make a clean break as the AUTOMAKE thread was getting a bit off-topic. These are my findings so far: 1. During boot, when the OS is bringing my loopback interface up I am getting the following messages: Bringing up loopback interface: SIOCADDRT: Network is unreachable SIOCADDRT: Network is unreachable This started happening since my shorewall-init installation. Looking at the logs, there isn''t anything there, which points to something being wrong. I do have 3 separate lo:{1,2,3} "devices" though - don''t know if that is causing the ifupdown to moan. The relevant messages I am getting are: 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing /var/lib//shorewall/firewall -V0 up lo Shorewall up triggered by lo Shorewall attempting start ERROR: Can''t determine the IP address of eth0: Firewall state not changed /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process ERROR: Required interface eth0 not available: Firewall state not changed /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process 2. during system-triggered ''up'' event, I get this: cp: `/var/lib/shorewall/firewall'' and `/var/lib/shorewall/firewall'' are the same file 3. /etc/shorewall changes not detected by shorewall when running together with shorewall-init. This happens when the following sequence is executed: 1. changing shorewall.conf (or anything in /etc/shorewall) 2. reboot 3. OS eth0 brought up -> ifup-local triggers and it starts shorewall by executing the firewall file in /var/lib/shorewall 4. the shorewall service isn''t starting as it determines that shorewall is already running maybe a solution to this would be for shorewall-init to run something like "shorewall check-updated" to see whether anything in /etc/shorewall has been changed and if so to execute "shorewall compile". 4. shorewall-init sysv script errors and additions - see patch attached. I''ve also added a few things which I found useful. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
On 05/05/2013 10:17 AM, Dash Four wrote:> I''ve decided to make a clean break as the AUTOMAKE thread was getting a > bit off-topic. These are my findings so far: > > 1. During boot, when the OS is bringing my loopback interface up I am > getting the following messages: > > Bringing up loopback interface: SIOCADDRT: Network is unreachable > SIOCADDRT: Network is unreachable > > This started happening since my shorewall-init installation. Looking at > the logs, there isn''t anything there, which points to something being > wrong. I do have 3 separate lo:{1,2,3} "devices" though - don''t know if > that is causing the ifupdown to moan. The relevant messages I am getting > are: > > 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing > /var/lib//shorewall/firewall -V0 up lo > Shorewall up triggered by lo > Shorewall attempting start > ERROR: Can''t determine the IP address of eth0: Firewall state not changed > /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process > ERROR: Required interface eth0 not available: Firewall state not changed > /var/lib//shorewall/firewall: line 1079: kill: (748) - No such processWhy don''t you simply specify ''ignore'' on the lo devices? That is what ''ignore'' was invented for.> > 2. during system-triggered ''up'' event, I get this: > cp: `/var/lib/shorewall/firewall'' and `/var/lib/shorewall/firewall'' are > the same file >The attached pair of patches should correct that problem.> 3. /etc/shorewall changes not detected by shorewall when running > together with shorewall-init.That''s intentional. If you want Shorewall-init to use updated files, then you must issue a ''shorewall compile'' command. Imagine the chaos if you were in the middle of updating your config and suddenly Shorewall-init compiled whatever the current state of the config was and tried to run it.> > 4. shorewall-init sysv script errors and additions - see patch attached. > I''ve also added a few things which I found useful.I''ll take a look - Thanks. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
Tom Eastep wrote:> On 05/05/2013 10:17 AM, Dash Four wrote: > >> I''ve decided to make a clean break as the AUTOMAKE thread was getting a >> bit off-topic. These are my findings so far: >> >> 1. During boot, when the OS is bringing my loopback interface up I am >> getting the following messages: >> >> Bringing up loopback interface: SIOCADDRT: Network is unreachable >> SIOCADDRT: Network is unreachable >> >> This started happening since my shorewall-init installation. Looking at >> the logs, there isn''t anything there, which points to something being >> wrong. I do have 3 separate lo:{1,2,3} "devices" though - don''t know if >> that is causing the ifupdown to moan. The relevant messages I am getting >> are: >> >> 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing >> /var/lib//shorewall/firewall -V0 up lo >> Shorewall up triggered by lo >> Shorewall attempting start >> ERROR: Can''t determine the IP address of eth0: Firewall state not changed >> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process >> ERROR: Required interface eth0 not available: Firewall state not changed >> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process >> > > Why don''t you simply specify ''ignore'' on the lo devices? That is what > ''ignore'' was invented for. >No, I can''t do that - lo is ''required'' as I have stuff which depends on it, so this device must be up when the system starts. What is rather baffling is the message I am getting. Could this be fixed?>> 2. during system-triggered ''up'' event, I get this: >> cp: `/var/lib/shorewall/firewall'' and `/var/lib/shorewall/firewall'' are >> the same file >> >> > > The attached pair of patches should correct that problem. >I''ll have a chance to test this in the coming days, thanks Tom.>> 3. /etc/shorewall changes not detected by shorewall when running >> together with shorewall-init. >> > > That''s intentional. If you want Shorewall-init to use updated files, > then you must issue a ''shorewall compile'' command. Imagine the chaos if > you were in the middle of updating your config and suddenly > Shorewall-init compiled whatever the current state of the config was and > tried to run it. >I see your point and is a good one. Perhaps another alternative could be implemented since the problem arises only on reboot. Currently, I have shorewall-init as a service disabled, simply because ifupdown-local usually takes care of everything. However, if you implement "shorewall check-update" (or any other suitable alternative) which produces a "yes/no" result when recompilation is needed (even if it is through the exit code), then the shorewall-init startup script/service could use that to see whether "shorewall compile" needs to be executed (that would be in addition to the usual checks for the "firewall" executable) and do so accordingly. Since shorewall-init (as a service) usually starts before anything (even before any of the network devices have been brought up), then it can detect whether changes were made and recompile the firewall file, ifupdown-local then picks it up and - voila, job done. How''s that?>> 4. shorewall-init sysv script errors and additions - see patch attached. >> I''ve also added a few things which I found useful. >> > > I''ll take a look - Thanks. >Pleasure. ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
On 05/06/2013 10:15 AM, Dash Four wrote:> > Tom Eastep wrote: >> On 05/05/2013 10:17 AM, Dash Four wrote: >> >>> I''ve decided to make a clean break as the AUTOMAKE thread was getting a >>> bit off-topic. These are my findings so far: >>> >>> 1. During boot, when the OS is bringing my loopback interface up I am >>> getting the following messages: >>> >>> Bringing up loopback interface: SIOCADDRT: Network is unreachable >>> SIOCADDRT: Network is unreachable >>> >>> This started happening since my shorewall-init installation. Looking at >>> the logs, there isn''t anything there, which points to something being >>> wrong. I do have 3 separate lo:{1,2,3} "devices" though - don''t know if >>> that is causing the ifupdown to moan. The relevant messages I am getting >>> are: >>> >>> 2013-05-05 17:05:45+01:00 /usr/sbin/ifup-local: Executing >>> /var/lib//shorewall/firewall -V0 up lo >>> Shorewall up triggered by lo >>> Shorewall attempting start >>> ERROR: Can''t determine the IP address of eth0: Firewall state not changed >>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process >>> ERROR: Required interface eth0 not available: Firewall state not changed >>> /var/lib//shorewall/firewall: line 1079: kill: (748) - No such process >>> >> >> Why don''t you simply specify ''ignore'' on the lo devices? That is what >> ''ignore'' was invented for. >> > No, I can''t do that - lo is ''required'' as I have stuff which depends on > it, so this device must be up when the system starts. What is rather > baffling is the message I am getting. Could this be fixed?I have no idea why it is happening.>>> 3. /etc/shorewall changes not detected by shorewall when running >>> together with shorewall-init. >>> >> >> That''s intentional. If you want Shorewall-init to use updated files, >> then you must issue a ''shorewall compile'' command. Imagine the chaos if >> you were in the middle of updating your config and suddenly >> Shorewall-init compiled whatever the current state of the config was and >> tried to run it. >> > I see your point and is a good one. > > Perhaps another alternative could be implemented since the problem > arises only on reboot. Currently, I have shorewall-init as a service > disabled, simply because ifupdown-local usually takes care of > everything. However, if you implement "shorewall check-update" (or any > other suitable alternative) which produces a "yes/no" result when > recompilation is needed (even if it is through the exit code), then the > shorewall-init startup script/service could use that to see whether > "shorewall compile" needs to be executed (that would be in addition to > the usual checks for the "firewall" executable) and do so accordingly. > > Since shorewall-init (as a service) usually starts before anything (even > before any of the network devices have been brought up), then it can > detect whether changes were made and recompile the firewall file, > ifupdown-local then picks it up and - voila, job done. How''s that?That could be done. How about an option on the ''compile'' command that ''compiles if needed''? That way, the SysV init scripts could unconditionally compile with that option.> >>> 4. shorewall-init sysv script errors and additions - see patch attached. >>> I''ve also added a few things which I found useful. >>> >> >> I''ll take a look - Thanks. >> > Pleasure.Applied. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
Tom Eastep wrote:>> I see your point and is a good one. >> >> Perhaps another alternative could be implemented since the problem >> arises only on reboot. Currently, I have shorewall-init as a service >> disabled, simply because ifupdown-local usually takes care of >> everything. However, if you implement "shorewall check-update" (or any >> other suitable alternative) which produces a "yes/no" result when >> recompilation is needed (even if it is through the exit code), then the >> shorewall-init startup script/service could use that to see whether >> "shorewall compile" needs to be executed (that would be in addition to >> the usual checks for the "firewall" executable) and do so accordingly. >> >> Since shorewall-init (as a service) usually starts before anything (even >> before any of the network devices have been brought up), then it can >> detect whether changes were made and recompile the firewall file, >> ifupdown-local then picks it up and - voila, job done. How''s that? >> > > That could be done. How about an option on the ''compile'' command that > ''compiles if needed''? That way, the SysV init scripts could > unconditionally compile with that option. >Nope, that won''t do. The shorewall-init script check for the existence of "firewall" and, if present, it then starts "unconditional" compile. So, there must be, in my view, another command (I suggested "shorewall check-update", but it could be anything suitable really), which precedes that check, regardless of whether or not "firewall" exists and it is executable - another "if" statement branch. Something like this: retval=0 product="${SBINDIR}/$PRODUCT $OPTIONS" if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then $product check-update # or any other ''suitable'' option retval=${PIPESTATUS[0]} fi if [ $retval -ne 0 ]; then # config directory has been updated, unconditional recompile $product compile elif [ ! -x "${STATEDIR}/firewall" ]; then if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then $product compile fi fi>>>> 4. shorewall-init sysv script errors and additions - see patch attached. >>>> I''ve also added a few things which I found useful. >>>> >>>> >>> I''ll take a look - Thanks. >>> >>> >> Pleasure. >> > > Applied. >Thanks. I haven''t looked at ifupdown-local, but I am sure that file could be optimised as well... ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 05/06/2013 11:22 AM, Dash Four wrote:> > Tom Eastep wrote: >>> I see your point and is a good one. >>> >>> Perhaps another alternative could be implemented since the problem >>> arises only on reboot. Currently, I have shorewall-init as a service >>> disabled, simply because ifupdown-local usually takes care of >>> everything. However, if you implement "shorewall check-update" (or any >>> other suitable alternative) which produces a "yes/no" result when >>> recompilation is needed (even if it is through the exit code), then the >>> shorewall-init startup script/service could use that to see whether >>> "shorewall compile" needs to be executed (that would be in addition to >>> the usual checks for the "firewall" executable) and do so accordingly. >>> >>> Since shorewall-init (as a service) usually starts before anything (even >>> before any of the network devices have been brought up), then it can >>> detect whether changes were made and recompile the firewall file, >>> ifupdown-local then picks it up and - voila, job done. How''s that? >>> >> >> That could be done. How about an option on the ''compile'' command that >> ''compiles if needed''? That way, the SysV init scripts could >> unconditionally compile with that option. >> > Nope, that won''t do. The shorewall-init script check for the existence > of "firewall" and, if present, it then starts "unconditional" compile. > So, there must be, in my view, another command (I suggested "shorewall > check-update", but it could be anything suitable really), which precedes > that check, regardless of whether or not "firewall" exists and it is > executable - another "if" statement branch. Something like this: > > retval=0 > product="${SBINDIR}/$PRODUCT $OPTIONS" > if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then > $product check-update # or any other ''suitable'' option > retval=${PIPESTATUS[0]} > fi > if [ $retval -ne 0 ]; then > # config directory has been updated, unconditional recompile > $product compile > elif [ ! -x "${STATEDIR}/firewall" ]; then > if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; thenWhat I''m suggesting is to replace all of that with: if [ $PRODUCT == shorewall -o $PRODUCT == shoreawll6 ]; then ${SBINDIR}/$PRODUCT compile -c fi ''compile -c'' will compile ${VARDIR}/${PRODUCT}/firewall if it doesn''t exist or if the config has changed since it was last compiled. If it exists and the config hasn''t changed, the command exists with status 0. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/6/13 2:18 PM, "Tom Eastep" <teastep@shorewall.net> wrote:>On 05/06/2013 11:22 AM, Dash Four wrote: >> >> Tom Eastep wrote: >>>> I see your point and is a good one. >>>> >>>> Perhaps another alternative could be implemented since the problem >>>> arises only on reboot. Currently, I have shorewall-init as a service >>>> disabled, simply because ifupdown-local usually takes care of >>>> everything. However, if you implement "shorewall check-update" (or >>>>any >>>> other suitable alternative) which produces a "yes/no" result when >>>> recompilation is needed (even if it is through the exit code), then >>>>the >>>> shorewall-init startup script/service could use that to see whether >>>> "shorewall compile" needs to be executed (that would be in addition >>>>to >>>> the usual checks for the "firewall" executable) and do so accordingly. >>>> >>>> Since shorewall-init (as a service) usually starts before anything >>>>(even >>>> before any of the network devices have been brought up), then it can >>>> detect whether changes were made and recompile the firewall file, >>>> ifupdown-local then picks it up and - voila, job done. How''s that? >>>> >>> >>> That could be done. How about an option on the ''compile'' command that >>> ''compiles if needed''? That way, the SysV init scripts could >>> unconditionally compile with that option. >>> >> Nope, that won''t do. The shorewall-init script check for the existence >> of "firewall" and, if present, it then starts "unconditional" compile. >> So, there must be, in my view, another command (I suggested "shorewall >> check-update", but it could be anything suitable really), which >>precedes >> that check, regardless of whether or not "firewall" exists and it is >> executable - another "if" statement branch. Something like this: >> >> retval=0 >> product="${SBINDIR}/$PRODUCT $OPTIONS" >> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then >> $product check-update # or any other ''suitable'' option >> retval=${PIPESTATUS[0]} >> fi >> if [ $retval -ne 0 ]; then >> # config directory has been updated, unconditional recompile >> $product compile >> elif [ ! -x "${STATEDIR}/firewall" ]; then >> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then > >What I''m suggesting is to replace all of that with: > >if [ $PRODUCT == shorewall -o $PRODUCT == shoreawll6 ]; then > ${SBINDIR}/$PRODUCT compile -c >fi > >''compile -c'' will compile ${VARDIR}/${PRODUCT}/firewall if it doesn''t >exist or if the config has changed since it was last compiled. If it >exists and the config hasn''t changed, the command exists with status 0.''exits''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 05/06/2013 11:22 AM, Dash Four wrote: > >> Tom Eastep wrote: >> >>>> I see your point and is a good one. >>>> >>>> Perhaps another alternative could be implemented since the problem >>>> arises only on reboot. Currently, I have shorewall-init as a service >>>> disabled, simply because ifupdown-local usually takes care of >>>> everything. However, if you implement "shorewall check-update" (or any >>>> other suitable alternative) which produces a "yes/no" result when >>>> recompilation is needed (even if it is through the exit code), then the >>>> shorewall-init startup script/service could use that to see whether >>>> "shorewall compile" needs to be executed (that would be in addition to >>>> the usual checks for the "firewall" executable) and do so accordingly. >>>> >>>> Since shorewall-init (as a service) usually starts before anything (even >>>> before any of the network devices have been brought up), then it can >>>> detect whether changes were made and recompile the firewall file, >>>> ifupdown-local then picks it up and - voila, job done. How''s that? >>>> >>>> >>> That could be done. How about an option on the ''compile'' command that >>> ''compiles if needed''? That way, the SysV init scripts could >>> unconditionally compile with that option. >>> >>> >> Nope, that won''t do. The shorewall-init script check for the existence >> of "firewall" and, if present, it then starts "unconditional" compile. >> So, there must be, in my view, another command (I suggested "shorewall >> check-update", but it could be anything suitable really), which precedes >> that check, regardless of whether or not "firewall" exists and it is >> executable - another "if" statement branch. Something like this: >> >> retval=0 >> product="${SBINDIR}/$PRODUCT $OPTIONS" >> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then >> $product check-update # or any other ''suitable'' option >> retval=${PIPESTATUS[0]} >> fi >> if [ $retval -ne 0 ]; then >> # config directory has been updated, unconditional recompile >> $product compile >> elif [ ! -x "${STATEDIR}/firewall" ]; then >> if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then >> > > What I''m suggesting is to replace all of that with: > > if [ $PRODUCT == shorewall -o $PRODUCT == shoreawll6 ]; then > ${SBINDIR}/$PRODUCT compile -c > fi > > ''compile -c'' will compile ${VARDIR}/${PRODUCT}/firewall if it doesn''t > exist or if the config has changed since it was last compiled. If it > exists and the config hasn''t changed, the command exists with status 0. >Oh, in that case it makes perfect sense, though make sure that shorewall exist status is always returned so that it could be picked up by the initd script ;-) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 05/06/2013 03:57 PM, Dash Four wrote:> > > Tom Eastep wrote: > >> >> What I''m suggesting is to replace all of that with: >> >> if [ $PRODUCT == shorewall -o $PRODUCT == shoreawll6 ]; then >> ${SBINDIR}/$PRODUCT compile -c >> fi >> >> ''compile -c'' will compile ${VARDIR}/${PRODUCT}/firewall if it doesn''t >> exist or if the config has changed since it was last compiled. If it >> exists and the config hasn''t changed, the command exists with status 0. >> > Oh, in that case it makes perfect sense, though make sure that shorewall > exist status is always returned so that it could be picked up by the > initd script ;-) >Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> Patch attached. >Applied and tested with changes (see patch attached), but still doesn''t work. When I make modifications to my /etc/shorewall and then execute "shorewall compile -c" I am always getting "/var/lib/shorewall/firewall is up to date -- no compilation required", which is clearly wrong. As far as the patch goes - I only scanned the lib.* files in /usr/share/shorewall, but I am sure there are quite a lot of other references, especially in the perl .pm files. As an aside, I have a few queries/suggestions: 1. Could you allow multiple owner entries in the OWNER accounting column the way it is in all other areas? 2. When I get the following message from ifup-local: "WARNING: Optional Interface tun0 is not usable -- tun0 not Started" should I manually execute "firewall -V0 up tun0" when I connect to my VPN (this can''t be picked up by the OS as the tun device is a bit "special", so all up/down events can be controlled with scripts via openvpn)? I have traffic shaping (incl. ifbX) as well as accounting set up for this device, though it has to be said that during boot up my tun device is present, but it does not yet have an ip address. 3. What is the consequence of stopping a device with "firewall down tun0" for example? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/7/13 4:30 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >> Patch attached. >> >Applied and tested with changes (see patch attached),You are aware that ''=='' is only supported by bash and that much of the world outside of Redhat doesn''t use bash as /bin/sh? I''m guessing not. I will never apply such a patch.> but still doesn''t >work. When I make modifications to my /etc/shorewall and then execute >"shorewall compile -c" I am always getting "/var/lib/shorewall/firewall >is up to date -- no compilation required", which is clearly wrong. As >far as the patch goes - I only scanned the lib.* files in >/usr/share/shorewall, but I am sure there are quite a lot of other >references, especially in the perl .pm files.It works perfectly for me, so please produce a shell trace of a failure. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> > Tom Eastep wrote: >> Patch attached. >> > Applied and tested with changes (see patch attached), but still doesn''t > work. When I make modifications to my /etc/shorewall and then execute > "shorewall compile -c" I am always getting "/var/lib/shorewall/firewall > is up to date -- no compilation required", which is clearly wrong. As > far as the patch goes - I only scanned the lib.* files in > /usr/share/shorewall, but I am sure there are quite a lot of other > references, especially in the perl .pm files. > > As an aside, I have a few queries/suggestions: > > 1. Could you allow multiple owner entries in the OWNER accounting column > the way it is in all other areas? > 2. When I get the following message from ifup-local: "WARNING: Optional > Interface tun0 is not usable -- tun0 not Started" should I manually > execute "firewall -V0 up tun0" when I connect to my VPN (this can''t be > picked up by the OS as the tun device is a bit "special", so all up/down > events can be controlled with scripts via openvpn)? I have traffic > shaping (incl. ifbX) as well as accounting set up for this device, > though it has to be said that during boot up my tun device is present, > but it does not yet have an ip address. > 3. What is the consequence of stopping a device with "firewall down > tun0" for example?Hi, This is a bit OT because it more touches openvpn than shorewall, but... I don''t know your exact requirements but in my situation I needed openvpn being able to run scripts before tun/tap is opened, not after. That''s not possible with current openvpn versions and one has to hack around in the init script or other facilities like firewall. I''ve posted a feature wish with patch to openvpn but it was turned down: https://community.openvpn.net/openvpn/ticket/284 Regards, Simon ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Wed, 2013-05-08 at 08:42 +0200, Simon Matter wrote:> > Hi,Hey,> > This is a bit OT because it more touches openvpn than shorewall, > but...To jump on this bandwagon a bit...> > I don''t know your exact requirements but in my situation I needed > openvpn > being able to run scripts before tun/tap is opened, not after. That''s > not > possible with current openvpn versions and one has to hack around in > the > init script or other facilities like firewall.One other solution is that you could use a service manager such as rgmanager and create a service that openvpn has as a dependency... HTH, James> > I''ve posted a feature wish with patch to openvpn but it was turned > down: > https://community.openvpn.net/openvpn/ticket/284 > > Regards, > Simon------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> I don''t know your exact requirements but in my situation I needed >> openvpn >> being able to run scripts before tun/tap is opened, not after. That''s >> not >> possible with current openvpn versions and one has to hack around in >> the >> init script or other facilities like firewall. > One other solution is that you could use a service manager such as > rgmanager and create a service that openvpn has as a dependency...Thanks for your contribution but for two reasons I prefer the openvpn patch: 1) What you suggest doesn''t work if openvpn restarts a tunnel itself without the openvpn process being stopped and restarted by somehing outside of openvpn. 2) Putting another software into the game where we already have so many players doesn''t really make things easier (KISS). I''m really wondering how others put this all together and get stable systems. Regards, Simon ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Wed, May 8, 2013 at 4:23 AM, Simon Matter <simon.matter@invoca.ch> wrote:> Thanks for your contribution but for two reasons I prefer the openvpn patch: > > 1) What you suggest doesn''t work if openvpn restarts a tunnel itself > without the openvpn process being stopped and restarted by somehing > outside of openvpn.Well I don''t really know your specific use case, but good luck anyways.> > 2) Putting another software into the game where we already have so many > players doesn''t really make things easier (KISS). > > I''m really wondering how others put this all together and get stable systems.To be perfectly honest, I think that people *don''t* use openvpn. I have a dual node cluster that uses it to create a layer 2 bridge between br0 on node1 and node2, and setting it up, and monitoring it is a giant hack. I could never figure out how to do this any better way. Maybe some sort of NIH solution is in order. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/7/13 4:30 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > > >> Tom Eastep wrote: >> >>> Patch attached. >>> >>> >> Applied and tested with changes (see patch attached), >> > > You are aware that ''=='' is only supported by bash and that much of the > world outside of Redhat doesn''t use bash as /bin/sh? I''m guessing not. >I am guessing you haven''t got a clue, have you?>> but still doesn''t >> work. When I make modifications to my /etc/shorewall and then execute >> "shorewall compile -c" I am always getting "/var/lib/shorewall/firewall >> is up to date -- no compilation required", which is clearly wrong. As >> far as the patch goes - I only scanned the lib.* files in >> /usr/share/shorewall, but I am sure there are quite a lot of other >> references, especially in the perl .pm files. >> > > It works perfectly for me, so please produce a shell trace of a failure. >Well, it doesn''t work here - shell trace sent privately. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/8/13 5:33 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >>> but still doesn''t >>> work. When I make modifications to my /etc/shorewall and then execute >>> "shorewall compile -c" I am always getting "/var/lib/shorewall/firewall >>> is up to date -- no compilation required", which is clearly wrong. As >>> far as the patch goes - I only scanned the lib.* files in >>> /usr/share/shorewall, but I am sure there are quite a lot of other >>> references, especially in the perl .pm files. >>> >> >> It works perfectly for me, so please produce a shell trace of a failure. >> >Well, it doesn''t work here - shell trace sent privately.Please give this a try (apply on top of earlier patch). Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/8/13 5:33 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >> On 5/7/13 4:30 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >> >>> Tom Eastep wrote: >>> >>>> Patch attached. >>>> >>>> >>> Applied and tested with changes (see patch attached), >>> >> >> You are aware that ''=='' is only supported by bash and that much of the >> world outside of Redhat doesn''t use bash as /bin/sh? I''m guessing not. >> >I am guessing you haven''t got a clue, have you?I have the following clue: root@gateway:~# /bin/sh # [ a == a ] && echo Yes [: 1: a: unexpected operator # exit root@gateway:~# [ a == a ] && echo Yes Yes root@gateway:~# On this system (Debian), /bin/sh is the Dash shell. So ''=='' doesn''t appear in any of my shell code that is destined to run on all distributions. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/8/13 5:33 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > >> Tom Eastep wrote: >> >>> On 5/7/13 4:30 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>> >>>> Tom Eastep wrote: >>>> >>>>> Patch attached. >>>> Applied and tested with changes (see patch attached), >>>> >>> You are aware that ''=='' is only supported by bash and that much of the >>> world outside of Redhat doesn''t use bash as /bin/sh? I''m guessing not. >>> >> I am guessing you haven''t got a clue, have you? >> > > I have the following clue: > > root@gateway:~# /bin/sh > # [ a == a ] && echo Yes > [: 1: a: unexpected operator > # exit > > root@gateway:~# [ a == a ] && echo Yes > Yes > root@gateway:~# > > > On this system (Debian), /bin/sh is the Dash shell. > > So ''=='' doesn''t appear in any of my shell code that is destined to run on > all distributions. >Have a very good read at your own post from yesterday (if you can, that is). Please pay particular attention to the "''=='' is only supported by bash" bit. Now, my turn to show off: ~# /system/xbin/ash /opt # ash --help BusyBox v1.19.3-cm7 bionic (2011-11-14 16:52 +0100) multi-call binary. Usage: ash [-/+OPTIONS] [-/+o OPT]... [-c ''SCRIPT'' [ARG0 [ARGS]] / FILE [ARGS]] Unix shell interpreter /opt # [ 0 == 1 ] || echo Yes Yes /opt # That was BusyBox using ash. As you may or may not be aware, BusyBox is widely used in routers/embedded or resource-constrained devices and has nothing whatsoever to do with Redhat and ''ash'' ain''t exactly ''bash''. Then, there is the korn shell (ksh) and derivatives (zsh etc) - even though I can''t demonstrate the above example (I use ksh on a few of my embedded devices where there is no terminal - tty - capabilities present), I can enclose the relevant parts from the ksh man page for your benefit: string == pattern True, if string matches pattern. Any part of pattern can be quoted to cause it to be matched as a string. With a successful match to a pattern, the .sh.match array variable will contain the match and sub-pattern matches. Next in line is the c shell (csh) and his big brother tcsh (which is what I used before bash) - again, extracted from the man page for your own benefit: Logical, arithmetical and comparison operators :- These operators are similar to those of C and have the same precedence. They include || && | ^ & == != =~ !~ <= >= < > << >> + - * / % ! ~ ( ) Would you like me to go on? Thought not! As I already put it to you yesterday - you are a bit clueless, aren''t you? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> Please give this a try (apply on top of earlier patch). >Yep, all is in order now. Looking at the changes, I am a bit miffed as to how was this working for you before. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/9/13 3:22 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> > >Tom Eastep wrote: >> On 5/8/13 5:33 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >>> Tom Eastep wrote: >>> >>>> On 5/7/13 4:30 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>>> >>>>> Tom Eastep wrote: >>>>> >>>>>> Patch attached. >>>>> Applied and tested with changes (see patch attached), >>>>> >>>> You are aware that ''=='' is only supported by bash and that much of the >>>> world outside of Redhat doesn''t use bash as /bin/sh? I''m guessing not. >>>> >>> I am guessing you haven''t got a clue, have you? >>> >> >> I have the following clue: >> >> root@gateway:~# /bin/sh >> # [ a == a ] && echo Yes >> [: 1: a: unexpected operator >> # exit >> >> root@gateway:~# [ a == a ] && echo Yes >> Yes >> root@gateway:~# >> >> >> On this system (Debian), /bin/sh is the Dash shell. >> >> So ''=='' doesn''t appear in any of my shell code that is destined to run >>on >> all distributions. >> >Have a very good read at your own post from yesterday (if you can, that >is). Please pay particular attention to the "''=='' is only supported by >bash" bit. Now, my turn to show off: > >~# /system/xbin/ash >/opt # ash --help >BusyBox v1.19.3-cm7 bionic (2011-11-14 16:52 +0100) multi-call binary. > >Usage: ash [-/+OPTIONS] [-/+o OPT]... [-c ''SCRIPT'' [ARG0 [ARGS]] / FILE >[ARGS]] > >Unix shell interpreter > >/opt # [ 0 == 1 ] || echo Yes >Yes >/opt # > >That was BusyBox using ash. As you may or may not be aware, BusyBox is >widely used in routers/embedded or resource-constrained devices and has >nothing whatsoever to do with Redhat and ''ash'' ain''t exactly ''bash''. > >Then, there is the korn shell (ksh) and derivatives (zsh etc) - even >though I can''t demonstrate the above example (I use ksh on a few of my >embedded devices where there is no terminal - tty - capabilities >present), I can enclose the relevant parts from the ksh man page for >your benefit: > >string == pattern > True, if string matches pattern. Any part of pattern can be quoted to >cause it to be matched as a string. With a successful match to a >pattern, the .sh.match array variable will contain the match and >sub-pattern matches. > >Next in line is the c shell (csh) and his big brother tcsh (which is >what I used before bash) - again, extracted from the man page for your >own benefit: > >Logical, arithmetical and comparison operators :- These operators are >similar to those of C and have the same precedence. They include || && >| ^ & == != =~ !~ <= >= < > << >> + - * / % ! ~ ( ) > >Would you like me to go on? Thought not! As I already put it to you >yesterday - you are a bit clueless, aren''t you.My point is simply that there is a major distribution where /bin/sh doesn''t support ''==''. Knowing that, I admit that I didn''t waste my time testing all of the other shells in the universe. Shorewall has always used, and will continue to use, only the set of constructs supported by all of the default shells on systems where it commonly runs. Dash doesn''t support ''=='' and /bin/sh is dash on current Debian releases. End of discussion. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> My point is simply that there is a major distribution where /bin/sh > doesn''t support ''==''.I''ve no problem with that whatsoever. In fact, I wasn''t aware at the time I issued the patch that this construct won''t work in Debian as I already knew it worked on all the shells I have been using here. I took issue with this rather foolish and ill-thought out sweeping statement of yours that "==" is only supported in bash and your little dig at me for not knowing anything "outside Redhat" and I responded accordingly.> Knowing that, I admit that I didn''t waste my time > testing all of the other shells in the universe. >Then don''t have little digs or challenge my intelligence and count to ten before you hit that "send" button.> Shorewall has always used, and will continue to use, only the set of > constructs supported by all of the default shells on systems where it > commonly runs. Dash doesn''t support ''=='' and /bin/sh is dash on current > Debian releases. >No argument there.> End of discussion. >Fair enough. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may