Shorewall users - Oct 2007 - non fatal segmentation fault ?

Hi Folks,

anyone has a bell ringing with this error message ?
When doing a: shorewall refresh

# /sbin/shorewall refresh
Compiling...
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
/usr/share/shorewall/functions: line 145: 27260 Segmentation fault
"$@" >/dev/null 2>&1
Initializing...
[... snip ...]

it''s in this function:
#
# Suppress all output for a command
#
qt()
{
    "$@" >/dev/null 2>&1
}

A debug output shows me this:
+ qt /sbin/iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j
ACCEPT
+ /sbin/iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ CONNTRACK_MATCH=Yes
+ qt /sbin/iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ /sbin/iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ MULTIPORT=Yes
+ qt /sbin/iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT
+ /sbin/iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT
+ XMULTIPORT=Yes
+ qt /sbin/iptables -A fooX1234 -m policy --pol ipsec --mode tunnel
--dir in -j ACCEPT
+ /sbin/iptables -A fooX1234 -m policy --pol ipsec --mode tunnel --dir
in -j ACCEPT
/usr/share/shorewall/functions: line 145: 32759 Segmentation fault
"$@" >/dev/null 2>&1
+ qt /sbin/iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT
+ /sbin/iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT
+ PHYSDEV_MATCH=Yes

Just FYI - I am not using any IPSec stuff - as only OpenVPN comes to
service in my networks.

Here the Shorewall version number:
/sbin/shorewall version
3.2.4

It doesn''t seem to make any issue though - as everything works as
required.
This is on a cross-upgraded Debian to Ubuntu 6.06.1 LTS,
but this error showed up only after the last libc6 upgrade.




-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Mon, 29 Oct 2007 10:56:31 +0100, smurphy@solsys.org said:
> This is on a cross-upgraded Debian to Ubuntu 6.06.1 LTS,
> but this error showed up only after the last libc6 upgrade.
That may well be your problem as that is an unsupported (by Debian or
Ubuntu) path. I''d suggest you try your configuration on a vanilla
Ubuntu
6.06 system.

Keith

-- 
Keith Edmunds

--------------------------------------------------------------
Tiger Computing is looking for a Linux Support Consultant - see
http://www.tiger-computing.co.uk/page?27
--------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Keith Edmunds schrieb:
> On Mon, 29 Oct 2007 10:56:31 +0100, smurphy@solsys.org said:
> 
>> This is on a cross-upgraded Debian to Ubuntu 6.06.1 LTS,
>> but this error showed up only after the last libc6 upgrade.
> 
> That may well be your problem as that is an unsupported (by Debian or
> Ubuntu) path. I''d suggest you try your configuration on a vanilla
Ubuntu
> 6.06 system.
Well - that''s strange. As before the upgrade of the libc6 which
happened
last week - I didn''t have that issue ... I did ran the cross upgraded
system for about a Year or so without an issue.

On a plain Ubuntu 6.06.1 it works - and there is no package left on my
gateway from the old Debian installation...

IMHO - there is something else going on. As it does not impact my
Networking/Firewall - I will ignore it (have unfortunatly more urgent
stuff to fix) - but I wil keep an eye on it.

Cheers
Joerg


-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Joerg Mertin wrote:
> + qt /sbin/iptables -A fooX1234 -m policy --pol ipsec --mode tunnel
> --dir in -j ACCEPT
> + /sbin/iptables -A fooX1234 -m policy --pol ipsec --mode tunnel --dir
> in -j ACCEPT
> /usr/share/shorewall/functions: line 145: 32759 Segmentation fault
> "$@" >/dev/null 2>&1
> + qt /sbin/iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT
> + /sbin/iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT
> + PHYSDEV_MATCH=Yes
> 
> Just FYI - I am not using any IPSec stuff - as only OpenVPN comes to
> service in my networks.
FYI -- the code being executed at this point is trying to determine what
capabilities your iptables and kernel have. That code is totally independent
of your Shorewall configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Hi Tom,

this is what I suspected - reason I didn''t care.
The segmentation fault was what I saw - and which struggled me.

Anyway - I''ll see if I can circle it.
Thx
Joerg


Tom Eastep schrieb:
[snip]
> FYI -- the code being executed at this point is trying to determine what
> capabilities your iptables and kernel have. That code is totally
independent
> of your Shorewall configuration.
[snip]

-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/