Shorewall users - Aug 2007 - Shorewall 3.4.x - Error when (re) starting - segmentation fault

Shorewall 3.4.6 running on SuSE Linux 10.2

Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
Restarting Shorewall....
/sbin/shorewall: line 665:  6782 Segmentation fault      
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart

got this with V3.4.4, updated to 3.4.6 this morning, but that didn''t
help.
Does anybody have any hint for me ?

I am travelling onsite now to further debug the problem.

Regards from Germany.

-- 

Mit freundlichen Grüßen,
Philipp Rusch




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 11:22 +0200, Philipp Rusch wrote:
> Shorewall 3.4.6 running on SuSE Linux 10.2
> 
> Compiling Rule Activation...
> Shorewall configuration compiled to /var/lib/shorewall/.restart
> Processing /etc/shorewall/params ...
> Restarting Shorewall....
> /sbin/shorewall: line 665:  6782 Segmentation
> fault     $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
> 
> 
> got this with V3.4.4, updated to 3.4.6 this morning, but that
didn''t
> help.
> Does anybody have any hint for me ?
Afraid not -- a trace would be useful when you get on-site.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 11:22 +0200, Philipp Rusch wrote:
>   
>> Shorewall 3.4.6 running on SuSE Linux 10.2
>>
>> Compiling Rule Activation...
>> Shorewall configuration compiled to /var/lib/shorewall/.restart
>> Processing /etc/shorewall/params ...
>> Restarting Shorewall....
>> /sbin/shorewall: line 665:  6782 Segmentation
>> fault     $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
>>
>>
>> got this with V3.4.4, updated to 3.4.6 this morning, but that
didn''t
>> help.
>> Does anybody have any hint for me ?
>>     
>
> Afraid not -- a trace would be useful when you get on-site.
>
> -Tom
>   
Tom,
the trace is 42 MB - too big to send in one piece, so what do you need 
as extract ?

-- 

Mit freundlichen Grüßen,
Philipp Rusch




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 18:21 +0200, Philipp Rusch wrote:
> Tom Eastep schrieb: 
> > On Fri, 2007-08-24 at 11:22 +0200, Philipp Rusch wrote:
> >   
> > > Shorewall 3.4.6 running on SuSE Linux 10.2
> > > 
> > > Compiling Rule Activation...
> > > Shorewall configuration compiled to /var/lib/shorewall/.restart
> > > Processing /etc/shorewall/params ...
> > > Restarting Shorewall....
> > > /sbin/shorewall: line 665:  6782 Segmentation
> > > fault     $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
> > > 
> > > 
> > > got this with V3.4.4, updated to 3.4.6 this morning, but that
didn''t
> > > help.
> > > Does anybody have any hint for me ?
> > >     
> > 
> > Afraid not -- a trace would be useful when you get on-site.
> > 
> > -Tom
> >   
> Tom,
> the trace is 42 MB - too big to send in one piece, so what do you need
> as extract ?
Let''s start with the last 1000 lines or so.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 11:22 +0200, Philipp Rusch wrote:
>   
>> Shorewall 3.4.6 running on SuSE Linux 10.2
>>
>> Compiling Rule Activation...
>> Shorewall configuration compiled to /var/lib/shorewall/.restart
>> Processing /etc/shorewall/params ...
>> Restarting Shorewall....
>> /sbin/shorewall: line 665:  6782 Segmentation
>> fault     $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
>>
>>
>> got this with V3.4.4, updated to 3.4.6 this morning, but that
didn''t
>> help.
>> Does anybody have any hint for me ?
>>     
>
> Afraid not -- a trace would be useful when you get on-site.
>
> -Tom
>   
Tom,

I think the problem arises from the number of zones I have.
We currently have 62 zones consisting of  fw,net,loc, 6 OpenVPN zones and
53 IPSec-zones.
If I reduce the number of those ipsec entries, the script compiles ok,
and shorewall is running fine.
Is there an elegant way to reduce my number of ipsec zones ?
All remote ipsec-vpn-sides should be treated equal, there are exactly 
the same
policies and rules for all of them.
Any hint would be great.

Regards from Germany,
-- 

Mit freundlichen Grüßen,
Philipp Rusch



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 18:35 +0200, Philipp Rusch wrote:
> 53 IPSec-zones. 
> If I reduce the number of those ipsec entries, the script compiles ok,
> and shorewall is running fine. 
> Is there an elegant way to reduce my number of ipsec zones ?
> All remote ipsec-vpn-sides should be treated equal, there are exactly
> the same 
> policies and rules for all of them.
> Any hint would be great.
How are you defining your IPSEC zones in the current configuration?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 18:35 +0200, Philipp Rusch wrote:
>
>   
>> 53 IPSec-zones. 
>> If I reduce the number of those ipsec entries, the script compiles ok,
>> and shorewall is running fine. 
>> Is there an elegant way to reduce my number of ipsec zones ?
>> All remote ipsec-vpn-sides should be treated equal, there are exactly
>> the same 
>> policies and rules for all of them.
>> Any hint would be great.
>>     
>
> How are you defining your IPSEC zones in the current configuration?
>
> -Tom
>   
> ------------------------------------------------------------------------
I will give you my config files with the reduced number of ipsec 
tunnels. This runs at this moment.
As already said there should be 40+ more tunnels ....

Thanks in advance for your time.  :-)

-- 

Mit freundlichen Grüßen,
Philipp Rusch






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 18:21 +0200, Philipp Rusch wrote:
>   
>> Tom Eastep schrieb: 
>>     
>>> On Fri, 2007-08-24 at 11:22 +0200, Philipp Rusch wrote:
>>>   
>>>       
>>>> Shorewall 3.4.6 running on SuSE Linux 10.2
>>>>
>>>> Compiling Rule Activation...
>>>> Shorewall configuration compiled to /var/lib/shorewall/.restart
>>>> Processing /etc/shorewall/params ...
>>>> Restarting Shorewall....
>>>> /sbin/shorewall: line 665:  6782 Segmentation
>>>> fault     $SHOREWALL_SHELL ${VARDIR}/.restart $debugging
restart
>>>>
>>>>
>>>> got this with V3.4.4, updated to 3.4.6 this morning, but that
didn''t
>>>> help.
>>>> Does anybody have any hint for me ?
>>>>     
>>>>         
>>> Afraid not -- a trace would be useful when you get on-site.
>>>
>>> -Tom
>>>   
>>>       
>> Tom,
>> the trace is 42 MB - too big to send in one piece, so what do you need
>> as extract ?
>>     
>
> Let''s start with the last 1000 lines or so.
>
> -Tom
>   
Oh, I did not get/read this one, so I''m sending this now, the last 1000
lines ...
-- 

Mit freundlichen Grüßen,
Philipp Rusch

------------------------------------------------------------------------

New Vision GmbH                                               
Neue Mitte 3
D-35415 Pohlheim, Germany                    
Fon:      +49 (0)6403 969 08 56
Fax:      +49 (0)6403 969 08 57
Mobile : +49 (0)172 89 86 230 

	

New Vision Logo <http://www.newvision-it.de>

HRB 6415 Gießen
Ust.-ID: DE 814 629 367

	

Web   : www.newvision-it.de
Mailto : Philipp.Rusch@newvision-it.de


------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützteInformationen.
Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
den Absender und vernichten
Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
E-Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient
(or have received this e-mail in error) please notify the sender and destroy
this e-mail. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 18:57 +0200, Philipp Rusch wrote:
> Tom Eastep schrieb: 
> > On Fri, 2007-08-24 at 18:35 +0200, Philipp Rusch wrote:
> > 
> >   
> > > 53 IPSec-zones. 
> > > If I reduce the number of those ipsec entries, the script
compiles ok,
> > > and shorewall is running fine. 
> > > Is there an elegant way to reduce my number of ipsec zones ?
> > > All remote ipsec-vpn-sides should be treated equal, there are
exactly
> > > the same 
> > > policies and rules for all of them.
> > > Any hint would be great.
> > >     
> > 
> > How are you defining your IPSEC zones in the current configuration?
> > 
> > -Tom
> >   
> > 
> > ____________________________________________________________________
> I will give you my config files with the reduced number of ipsec
> tunnels. This runs at this moment.
> As already said there should be 40+ more tunnels ....
Why don''t you just make one zone:

/etc/shorewall/zones:

tuns	ipsec		mode=tunnel     mss=1350,proto=esp      mss=1350,proto=esp

/etc/shorewall/hosts:

tuns	eth1:0.0.0.0/0

-Tom


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 19:21 +0200, Philipp Rusch wrote:
> Oh, I did not get/read this one, so I''m sending this now, the last
> 1000 lines ...
> 
> + echo ''Starting Shorewall....''
> + define_firewall
> /sbin/shorewall: line 375:  8151 Segmentation fault      ${VARDIR}/.start
$debugging start
The shell is trapping probably due to the size of the generated script.

I would be interested in seeing the compiled script that traps
(/var/lib/shorewall/.start).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-24 at 10:37 -0700, Tom Eastep wrote:
> On Fri, 2007-08-24 at 19:21 +0200, Philipp Rusch wrote:
> 
> > Oh, I did not get/read this one, so I''m sending this now, the
last
> > 1000 lines ...
> 
> > 
> > + echo ''Starting Shorewall....''
> > + define_firewall
> > /sbin/shorewall: line 375:  8151 Segmentation fault     
${VARDIR}/.start $debugging start
> 
> The shell is trapping probably due to the size of the generated script.
> 
> I would be interested in seeing the compiled script that traps
> (/var/lib/shorewall/.start).
> 
It would also be interesting to know if you are using a light-weight
shell such as ash. If so, does the failure occur with bash?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 10:37 -0700, Tom Eastep wrote:
>   
>> On Fri, 2007-08-24 at 19:21 +0200, Philipp Rusch wrote:
>>
>>     
>>> Oh, I did not get/read this one, so I''m sending this now,
the last
>>> 1000 lines ...
>>>       
>>> + echo ''Starting Shorewall....''
>>> + define_firewall
>>> /sbin/shorewall: line 375:  8151 Segmentation fault     
${VARDIR}/.start $debugging start
>>>       
>> The shell is trapping probably due to the size of the generated script.
>>
>> I would be interested in seeing the compiled script that traps
>> (/var/lib/shorewall/.start).
>>
>>     
>
> It would also be interesting to know if you are using a light-weight
> shell such as ash. If so, does the failure occur with bash?
>
> -Tom
>   
Maybe a dumb question: how do I find out ?

Philipp

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep schrieb:
> On Fri, 2007-08-24 at 19:21 +0200, Philipp Rusch wrote:
>
>   
>> Oh, I did not get/read this one, so I''m sending this now, the
last
>> 1000 lines ...
>>     
>
>   
>> + echo ''Starting Shorewall....''
>> + define_firewall
>> /sbin/shorewall: line 375:  8151 Segmentation fault     
${VARDIR}/.start $debugging start
>>     
>
> The shell is trapping probably due to the size of the generated script.
>
> I would be interested in seeing the compiled script that traps
> (/var/lib/shorewall/.start).
>
> -Tom
>   
>
If I am doing a "shorewall restart", then this generates only the 
.restart script, right?
So I will send the .restart-script in a zip-file by private mail to you.

Regards,
Philipp


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Sat, 2007-08-25 at 17:30 +0200, Philipp Rusch wrote:
> Tom Eastep schrieb:
> 
> > It would also be interesting to know if you are using a light-weight
> > shell such as ash. If so, does the failure occur with bash?
> 
> Maybe a dumb question: how do I find out ?
Asking this questions actually answers it already. You are using the
default bash. ;-)  For completeness, here''s how you find out anyway.

[root@monkey shorewall]# grep ^SHOREWALL_SHELL shorewall.conf
SHOREWALL_SHELL=/bin/dash


This also matches with Toms findings regarding bash / ash in another
thread. Switching to a lightweight shell like ash should work around
this issue -- and gain some considerable [re]start speed improvement.

Of course, using a single zone instead of 50+ (see Toms suggestion and
the Performance docs [1]) will make starting Shorewall a whole new
experience, too...

  karsten


[1] http://shorewall.net/ScalabilityAndPerformance.html

-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/