Shorewall users - Jun 2003 - Bug Report: "shorewall requires the iproute package"

Hello, all...

Please help... bug found! (Either in Red Hat or in Shorewall, but certainly 
somewhere and I think it''s in Shorewall.)

I''ve been using Shorewall for some time now (think I got it around
1.2.x)
and I absolutely love it. Power, elegance, speed, and simplicity... without 
_any_ crashes or problems to date in my experience. So, I was quite 
surprised to try installing Shorewall 1.4.4b on a couple of new boxes and 
having it croak on startup. Here''s what I have found on three different
new
installs of Red Hat 7.3:

         1. "shorewall start" works perfectly, and so do stop,
restart,
status, and hits.

         2. the iproute package is installed and working fine.

         3. "which ip" returns something (forgot what exactly), but 
something like /bin/ip.

         4. the problem occurs ONLY with the "service shorewall start"
command.

         5. no trace possible with my current level of knowledge. <smile>

      -----------------------------------------------
      Here is a normal shorewall stop:
      -----------------------------------------------

[root@apollo shorewall]# service shorewall stop
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Stopping Shorewall...Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
done.

      -----------------------------------------------
      Using "service shorewall start":
      -----------------------------------------------

[root@apollo shorewall]# service shorewall start
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
    Error: Shorewall 1.4.4b requires the iproute package (''ip''
utility)
/sbin/service: line 65:  2488 Terminated              env -i LANG=$LANG 
"${SERVICEDIR}/${SERVICE}" ${OPTIONS}

      -----------------------------------------------
      Using "shorewall start":
      -----------------------------------------------

[root@apollo shorewall]# shorewall start
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
    Zones: net
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Mangled/Invalid Packet filtering enabled on:
    eth0
Adding rules for DHCP
Setting up Blacklisting...
    Blacklisting enabled on eth0
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...



-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

On Wed, 18 Jun 2003 01:41:32 -0600, Rodolfo J. Paiz <rpaiz@simpaticus.com>
wrote:

> Please help... bug found! (Either in Red Hat or in Shorewall, but 
> certainly somewhere and I think it''s in Shorewall.)
>
1) This "bug" has already been reported.
2) I can''t reproduce it.
3) People who can reproduce it haven''t provided me with a trace.

See http://www.shorewall.net/troubleshoot.htm under the title "If the 
firewall fails to start"

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On 18 Jun 2003 at 1:41, Rodolfo J. Paiz wrote:
>       -----------------------------------------------
>       Using "service shorewall start":
>       -----------------------------------------------
> 
> [root@apollo shorewall]# service shorewall start
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Starting Shorewall...
>     Error: Shorewall 1.4.4b requires the iproute package
(''ip''
>     utility)
> /sbin/service: line 65:  2488 Terminated              env -i
> LANG=$LANG "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
> 
If I knew the first thing about "service" or Redhat I would suspect
service does not have the same path as issuing the start
from the command line, or that something

But being a SuSE user, I''ll be the first to admit I probably
know nothing about either Service or Redhat.

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Tue, 17 Jun 2003 17:54:07 -0800, John S. Andersen 
<jsa@norcomix.dyndns.org> wrote:

>
> If I knew the first thing about "service" or Redhat I would
suspect
> service does not have the same path as issuing the start
> from the command line, or that something
Yep....

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 17 Jun 2003, John S. Andersen wrote:
> On 18 Jun 2003 at 1:41, Rodolfo J. Paiz wrote:
>
> >       -----------------------------------------------
> >       Using "service shorewall start":
> >       -----------------------------------------------
> >
> > [root@apollo shorewall]# service shorewall start
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Starting Shorewall...
> >     Error: Shorewall 1.4.4b requires the iproute package
(''ip''
> >     utility)
> > /sbin/service: line 65:  2488 Terminated              env -i
> > LANG=$LANG "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
> >
>
> If I knew the first thing about "service" or Redhat I would
suspect
> service does not have the same path as issuing the start
> from the command line, or that something
>
Yep -- but it''s rather hard to understand given that the first thing
that
"service shorewall start" execs "shorewall start".

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 17 Jun 2003, Tom Eastep wrote:
> See http://www.shorewall.net/troubleshoot.htm under the title "If the
> firewall fails to start"
What is required is that /etc/init.d/shorewall be modified as follows:

Replace:

	exec /sbin/shorewall $@

with

	exec /sbin/shorewall debug $@ > /tmp/trace

Then after a failed "service shorewall start", /tmp/trace MIGHT show
us
something.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

At 6/17/2003 19:09 -0700, you wrote:
>What is required is that /etc/init.d/shorewall be modified as follows:
>
>Replace:
>         exec /sbin/shorewall $@
>with
>         exec /sbin/shorewall debug $@ > /tmp/trace
I ended up having to change it to:

         exec /sbin/shorewall debug $@ > /tmp/trace.stdout 2>
/tmp/trace.stderr

At the end, I got this to the screen:

[root@apollo tmp]# service shorewall start
/sbin/service: line 65:  3487 Terminated              env -i LANG=$LANG 
"${SERVICEDIR}/${SERVICE}" ${OPTIONS}
[root@apollo tmp]#

The files trace.stdout and trace.stderr are included in the attached file.

As to the path suggestion, all I could do was type "set" and the bash 
prompt and grep PATH in shorewall.conf then compare them by hand. If they 
are not identical, they are sure as hell similar. But most interesting, 
both contain "/sbin/" so for the command "which ip" it
should not have been
difficult to find "/sbin/ip".


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace.tgz
Type: application/x-compressed
Size: 4617 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030618/ccbd3446/trace.bin

At 6/18/2003 06:48 -0600, Rodolfo J. Paiz wrote:
>As to the path suggestion, all I could do was type "set" at the
bash
>prompt and grep PATH in shorewall.conf then compare them by hand. If they 
>are not identical, they are sure as hell similar. But most interesting, 
>both contain "/sbin/" so for the command "which ip" it
should not have
>been difficult to find "/sbin/ip".
Sorry to respond to my own post, but...

OK, I''ve rethought this. The fact that my login shell and
shorewall.conf
both have /sbin in the path means nothing since it doesn''t tell me what
the
path is for /sbin/service when called. They _may_ be the same but I have no 
way to tell.

"service shorewall start" seems to be failing at the "which
ip" command,
but when I type that manually, either before or after trying to start 
shorewall, it works just fine.


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

On Wednesday 18 June 2003 05:23 am, Rodolfo J. Paiz wrote:
> "service shorewall start" seems to be failing at the "which
ip" command,
> but when I type that manually, either before or after trying to start
> shorewall, it works just fine.
what was that "qt" preceeding the "which ip" command in the
trace?

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

On Tue, 2003-06-17 at 19:09, Tom Eastep wrote:
> On Tue, 17 Jun 2003, Tom Eastep wrote:
> 
> > See http://www.shorewall.net/troubleshoot.htm under the title "If
the
> > firewall fails to start"
> 
> What is required is that /etc/init.d/shorewall be modified as follows:
> 
> Replace:
> 
> 	exec /sbin/shorewall $@
> 
> with
> 
> 	exec /sbin/shorewall debug $@ > /tmp/trace
> 
$#@! -- that''s incorrect; should be:

exec /sbin/shorewall debug $@ 2> /tmp/trace

Sorry!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-06-18 at 00:29, John Andersen wrote:
> On Wednesday 18 June 2003 05:23 am, Rodolfo J. Paiz wrote:
> 
> > "service shorewall start" seems to be failing at the
"which ip" command,
> > but when I type that manually, either before or after trying to start
> > shorewall, it works just fine.
> 
> what was that "qt" preceeding the "which ip" command in
the trace?
qt() is a Shorewall macro. It invokes the command passed to it and
redirects both stdout and stderr to /dev/null.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-06-18 at 06:23, Rodolfo J. Paiz wrote:
> At 6/18/2003 06:48 -0600, Rodolfo J. Paiz wrote:
> >As to the path suggestion, all I could do was type "set" at
the bash
> >prompt and grep PATH in shorewall.conf then compare them by hand. If
they
> >are not identical, they are sure as hell similar. But most interesting,
> >both contain "/sbin/" so for the command "which ip"
it should not have
> >been difficult to find "/sbin/ip".
> 
> Sorry to respond to my own post, but...
> 
> OK, I''ve rethought this. The fact that my login shell and
shorewall.conf
> both have /sbin in the path means nothing since it doesn''t tell me
what the
> path is for /sbin/service when called. They _may_ be the same but I have no
> way to tell.
> 
> "service shorewall start" seems to be failing at the "which
ip" command,
> but when I type that manually, either before or after trying to start 
> shorewall, it works just fine.
By the time that shorewall executes ''which ip'', it has
instantiated the
path from /etc/shorewall.conf.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-06-18 at 06:23, Rodolfo J. Paiz wrote:
> At 6/18/2003 06:48 -0600, Rodolfo J. Paiz wrote:
> >As to the path suggestion, all I could do was type "set" at
the bash
> >prompt and grep PATH in shorewall.conf then compare them by hand. If
they
> >are not identical, they are sure as hell similar. But most interesting,
> >both contain "/sbin/" so for the command "which ip"
it should not have
> >been difficult to find "/sbin/ip".
> 
> Sorry to respond to my own post, but...
> 
> OK, I''ve rethought this. The fact that my login shell and
shorewall.conf
> both have /sbin in the path means nothing since it doesn''t tell me
what the
> path is for /sbin/service when called. They _may_ be the same but I have no
> way to tell.
> 
> "service shorewall start" seems to be failing at the "which
ip" command,
> but when I type that manually, either before or after trying to start 
> shorewall, it works just fine.
Try modifying /etc/init.d/shorewall to have this before the
''case''
statement:

alias which=''/usr/bin/which --tty-only --read-alias --show-dot
--show-tilde''

(don''t fold it like my mailer did)

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I think that the way that I''ll work around whatever is causing this is
to modify the verify_ip function to execute "ip link ls" rather than
"which ip".

e.g.,

verify_ip() {
    qt ip link ls ||\
	...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-06-18 at 07:53, Rodolfo J. Paiz wrote:
> 
> Do you still need me to make those changes and get another trace?
No -- let''s just "fix" it and move on.
> Also, how would I make those corrections so my systems can start shorewall 
> on their own without my help?
What version of Shorewall are you running?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net