Shorewall users - Apr 2009 - Bad mac address `-j' - Status: found workaround, potential problem

Hi,
EDIT: I found how to work around the issue, but thought it is best to 
report anyway.

i''ve stumbled upon wierd problem regarding shorewall startup when 
machine is booting. This is related to bridging.

I''ve installed KVM on CentOS 5.3 with back-ported kernel 
2.6.18-92.1.22.el5.centos.plus (last CentOS 5.2 kernel). This was done 
to avoid kernel crashing with 5.3 kernel on AMD integrated motheboard.

Following howto''s, I installed bridge (brctrl-utils) br0 that has eth0 
as a member. br0 has two public IP''s set following "MultiISP"
howto.
So far I installed one KVM guest and I have set it''s Public IP on 
virtual eth0 (on the guest system). Public IP is on the same subnet as 
one of KVM host''s IP. Later I am going to also add public IP from other
subnet existing on the host.

I checked all and shorewall is nicely started using "service shorewall 
start/restart" commands.

Problem starts when I boot/reboot the host. Since shorewall''s duty is
to
separate routing for both subnets, it''s failing to start means there is
no network traffic whatsoever. When I login as local user, via the 
keyboard, shorewall starts nicely again. Watching booting messages, I 
found out WHEN and generally WHY it''s not starting on boot.

Problem is connected to postponed start of br0 interface (I had to add 
"service network restart" to /etc.rd/rc.local to have active network 
after the boot).
Adding "service shorewall restart" in /etc.rd/rc.local after
"service
network restart" does not help.
EDIT: I later followed 
http://wiki.libvirt.org/page/Networking#Bridged_networking_.28aka_.22shared_physical_device.22.29
and disabled NetworkManager service with chkconfig, enabled network 
service and commented out "service network restart" from 
/etc.rd/rc.local. network now starts the br0 interface, but shorewall 
still reports error and refuses to start. Leaving "service shorewall 
restart" in /etc.rd/rc.local solves the issue.

Since no log shows the message I see on boot, I added "service network 
restart" INSIDE the /etc.rd/init.d/network after the code in it''s 
"start" and "restart".

Here is error I get after the (changed) "service network restart" and 
also on the boot screen (note that in this case shorewall DOES start:

[root@vmaster init.d]# service network restart
Shutting down interface br0:                               [  OK  ]
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
                                                           [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface br0:                                 [  OK  ]
Restarting shorewall: iptables-restore v1.3.5: Bad mac address `-j''
Error occurred at line: 32
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more information.
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
/sbin/shorewall: line 756: 12573 Terminated              
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
                                                           [FAILED]
Restarting shorewall:    Shorewall is not running
                                                           [  OK  ]
[root@vmaster init.d]# service shorewall status
Shorewall-4.2.7 Status at vmaster.plnet.rs - Sun Apr 19 21:51:22 CEST 2009

Shorewall is running
State:Started (Sun Apr 19 21:51:10 CEST 2009)

EDIT: After changes written in "EDIT" comments, and active
"service
shorewall restart" in /etc.rd/rc.local, everything works.

Ljubomir Ljubojevic


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Ljubomir Ljubojevic wrote:
> 
> EDIT: After changes written in "EDIT" comments, and active
"service
> shorewall restart" in /etc.rd/rc.local, everything works.
> 
I''m happy that you were able to work around the issue because there
isn''t much in your post to help us try to understand the failure.

You failed to mention which version of Shorewall you are running; the
banner from the output of ''shorewall status'' quoted in your
post allows
us to know that it is 4.2.7. The fact that ''iptables-restore''
is failing
allows us to deduce that you are running Shorewall-perl.

This next bit is significant:

Restarting shorewall: iptables-restore v1.3.5: Bad mac address `-j''
Error occurred at line: 32
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more information.
   ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
/sbin/shorewall: line 756: 12573 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart

If we had the file /var/lib/shorewall/.iptables-restore-input, then we
could see what command is failing. From that, we might guess why an
invalid command was being generated. That file accompanied by the output
of "shorewall dump" captured when the firewall is finally up and
running
would give us a good chance of solving the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

I sent an mail with non compressed attachments but it got held up so I 
canceled it so I repeating the mail:


Tom Eastep wrote:
> You failed to mention which version of Shorewall you are running; the
> banner from the output of ''shorewall status'' quoted in
your post allows
> us to know that it is 4.2.7. The fact that
''iptables-restore'' is failing
> allows us to deduce that you are running Shorewall-perl.
>   
Yes, I see I forgot that peace of information. Yes, version is 4.2.7(-3) 
and I use perl variant. I rebuilded rpm from Fedora source repository.
Patches in spec file show following patches applied:
Patch301: 
ftp://ftp.shorewall.net/pub/shorewall/4.2/shorewall-4.2.7/patch-perl-4.2.7.1 

Patch302: 
ftp://ftp.shorewall.net/pub/shorewall/4.2/shorewall-4.2.7/patch-perl-4.2.7.2 


> This next bit is significant:
>
> Restarting shorewall: iptables-restore v1.3.5: Bad mac address
`-j''
> Error occurred at line: 32
> Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
> information.
>    ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> /sbin/shorewall: line 756: 12573 Terminated
> $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
>
> If we had the file /var/lib/shorewall/.iptables-restore-input, then we
> could see what command is failing. From that, we might guess why an
> invalid command was being generated. That file accompanied by the output
> of "shorewall dump" captured when the firewall is finally up and
running
> would give us a good chance of solving the problem.
>
> -Tom
>   
I do not know the internals of shorewall, and this is my first 
(possible) bug report so I relied on the fact you will ask for relevant 
information.
I added both requests as file attachments.

Ljubomir


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Ljubomir Ljubojevic wrote:
> I do not know the internals of shorewall, and this is my first
> (possible) bug report so I relied on the fact you will ask for relevant
> information.
> I added both requests as file attachments.
Thank you for the additional information.

There is a defect in Shorewall that causes the startup failure when an
optional interface has multiple providers through it and Shorewall is
unable to determine the MAC address of one or more of the GATEWAYs. That
bug will be somewhat difficult to fix and, when fixed, your firewall
still won''t restart properly under the same circumstances.

While the bridge is being started prior to the ''shorewall
restart'', it
appears that the bridge is not yet fully functional. Adding a few second
''sleep'' in /etc/shorewall/init may help.

I notice in the .iptables-restore-input that when Shorewall does come
up, the following rules are generated:

-A routemark  -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK
--set-mark 1
-A routemark  -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK
--set-mark 2

Note the identical MAC addresses in the two rules -- without seeing
/var/lib/shorewall/.restart, I cannot tell if that is a Shorewall bug or
a configuration error.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep wrote:
> Ljubomir Ljubojevic wrote:
>
>   
>> I do not know the internals of shorewall, and this is my first
>> (possible) bug report so I relied on the fact you will ask for relevant
>> information.
>> I added both requests as file attachments.
>>     
>
> Thank you for the additional information.
>
> There is a defect in Shorewall that causes the startup failure when an
> optional interface has multiple providers through it and Shorewall is
> unable to determine the MAC address of one or more of the GATEWAYs. That
> bug will be somewhat difficult to fix and, when fixed, your firewall
> still won''t restart properly under the same circumstances.
>
> While the bridge is being started prior to the ''shorewall
restart'', it
> appears that the bridge is not yet fully functional. Adding a few second
> ''sleep'' in /etc/shorewall/init may help.
>   
I have noticed that br0 even when up does not function for 5-10 seconds 
more. That happens and on my desktop with br0 interface connected to 
eth0 and Virtualbox virtual machines but without any firewall what so 
ever. Network Monitor tray icon starts flashing active but ping does not 
work for several seconds more.
> I notice in the .iptables-restore-input that when Shorewall does come
> up, the following rules are generated:
>
> -A routemark  -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK
> --set-mark 1
> -A routemark  -i br0 -m mac --mac-source 00:0c:76:42:a9:8c -j MARK
> --set-mark 2
>
> Note the identical MAC addresses in the two rules -- without seeing
> /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall bug or
> a configuration error.
>   
That is not a bug. I have only one gateway machine, using one NIC (one 
MAC) for both public subnets. Diagram is:

Server (unit in question) with 1 NIC and 2 public IP''s on 2 public 
subnets   ------>  1 Cat5 cable     ------>  
  ------>   1 NIC with 2 public IP''s on 2 public subnets  both
acting as
gateways on StarV3 wireless Router that uses RIP + policy routing to 
separate traffic.

I know I have VERY interesting (and difficult) setup, and I want you to 
know that I am very happy with shorewall.

I am starting to print all documentation I can get about new shorewall 
(I already have 3.x manuals) and I am going to even write few howto''s. 
One using several virtual machines (for several tasks) on the 1physical 
server with 1(or more) NIC and several public IP''s from several
ISP''s.
This setup should be quite common for providing redundancy for small 
ISP''s that have several uplinks, but avoiding BGP routing.

I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is the 
way to go, I''ve already collected quite a few RPM''s backported
from
latest Fedora RPM''s (shorewall, everything for kvm deployment, 
freeradius...), and I am planing to document the complete process. The 
thing that would be nice to see is updated Webmin module for shorewall, 
at least possibility to select currently unaccessible files (like 
tc_rules) for manual editing. that would make sure my shorewall howto''s
are much easier to follow.

I will also try the init workaround and report the results, and you 
could maybe think about adding it as a configuration value to avoid 
tainting the internals.

Ljubomir

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Ljubomir Ljubojevic wrote:
>> There is a defect in Shorewall that causes the startup failure when
>> an optional interface has multiple providers through it and
>> Shorewall is unable to determine the MAC address of one or more of
>> the GATEWAYs. That bug will be somewhat difficult to fix and, when
>> fixed, your firewall still won''t restart properly under the
same
>> circumstances.
The attached patch to /usr/share/shorewall/Shorewall/Providers.pm should
prevent the startup failure. If the MAC of the remote gateway is not
detectable, the provider does not come up.
> I have noticed that br0 even when up does not function for 5-10
> seconds more. That happens and on my desktop with br0 interface
> connected to eth0 and Virtualbox virtual machines but without any
> firewall what so ever. Network Monitor tray icon starts flashing
> active but ping does not work for several seconds more.
That explains the failure then.
>> Note the identical MAC addresses in the two rules -- without seeing
>>  /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall
>> bug or a configuration error.
>> 
> That is not a bug. I have only one gateway machine, using one NIC
> (one MAC) for both public subnets.
Thanks for the explanation.
> I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is
> the way to go,
> The thing that would be nice to see is updated Webmin module for
> shorewall, at least possibility to select currently unaccessible
> files (like tc_rules) for manual editing. that would make sure my
> shorewall howto''s are much easier to follow.
Maintenance of the Webmin module is outside of the Shorewall project.
> 
> I will also try the init workaround and report the results, and you 
> could maybe think about adding it as a configuration value to avoid 
> tainting the internals.
/etc/shorewall/init is intended for just this sort of thing. Adding
commands to that file is not ''tainting the internals''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep wrote:
> Ljubomir Ljubojevic wrote:
> 
>>> There is a defect in Shorewall that causes the startup failure when
>>> an optional interface has multiple providers through it and
>>> Shorewall is unable to determine the MAC address of one or more of
>>> the GATEWAYs. That bug will be somewhat difficult to fix and, when
>>> fixed, your firewall still won''t restart properly under
the same
>>> circumstances.
> 
> The attached patch to /usr/share/shorewall/Shorewall/Providers.pm should
> prevent the startup failure. If the MAC of the remote gateway is not
> detectable, the provider does not come up.
Does that means that it will never start or it will start after some 
period? In my case not starting at all would cause that machine to be 
without any routed network connection. I will test init delay in some 2 
hours and if it works, then I will just use that option.
I never patched anything yet, so I will try to patch it but I am note 
sure I will test this on this unit before the thorough backup of current 
working system.
>> I have noticed that br0 even when up does not function for 5-10
>> seconds more. That happens and on my desktop with br0 interface
>> connected to eth0 and Virtualbox virtual machines but without any
>> firewall what so ever. Network Monitor tray icon starts flashing
>> active but ping does not work for several seconds more.
> 
> That explains the failure then.
> 
>>> Note the identical MAC addresses in the two rules -- without seeing
>>>  /var/lib/shorewall/.restart, I cannot tell if that is a Shorewall
>>> bug or a configuration error.
>>>
>> That is not a bug. I have only one gateway machine, using one NIC
>> (one MAC) for both public subnets.
> 
> Thanks for the explanation.
> 
>> I believe that CentOS/KVM/Shorewall/Webmin/Virtualmin combination is
>> the way to go,
> 
>> The thing that would be nice to see is updated Webmin module for
>> shorewall, at least possibility to select currently unaccessible
>> files (like tc_rules) for manual editing. that would make sure my
>> shorewall howto''s are much easier to follow.
> 
> Maintenance of the Webmin module is outside of the Shorewall project.
It would be a good way of promoting your excellent software. I was not 
asking you to work on it your self, My thought was you might know 
someone of your co-developers or helpers that is able to work on it a 
little, or just contact Webmin developers and assist them (give them 
pointers and tell them what to enhance) so that Shorewall module is 
easier to work with.

With KVM/Xen... maturity Webmin starts to be more and more best way to 
maintain virtual servers. Assuring there are fresh binaries for most 
popular distro''s and enhanced webmin module would do wonders for 
shorewall''s popularization.

As I progress in learning how to master rpm building I intend to be 
active in several communities including shorewall''s to see how much I 
can help. I can not promise anything I have the will to find the time.
> 
>> I will also try the init workaround and report the results, and you 
>> could maybe think about adding it as a configuration value to avoid 
>> tainting the internals.
> 
> /etc/shorewall/init is intended for just this sort of thing. Adding
> commands to that file is not ''tainting the internals''.
You are right, I was not looking at the location of the file, sorry. I 
assumed without reading that it''s rc.d init script. I guess holiday 
atmosphere (Orthodox Easter) got me too relaxed.

Ljubomir

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Ljubomir Ljubojevic wrote:
> Tom Eastep wrote:
>> The attached patch to /usr/share/shorewall/Shorewall/Providers.pm
should
>> prevent the startup failure. If the MAC of the remote gateway is not
>> detectable, the provider does not come up.
> 
> Does that means that it will never start or it will start after some 
> period?
It means that Shorewall itself will start but it will not add either of
the providers.

In my case not starting at all would cause that machine to
be
> without any routed network connection. I will test init delay in some 2 
> hours and if it works, then I will just use that option.
> I never patched anything yet, so I will try to patch it but I am note 
> sure I will test this on this unit before the thorough backup of current 
> working system.
You must use the init delay, regardless of whether you apply the patch
or not.
>> Maintenance of the Webmin module is outside of the Shorewall project.
> It would be a good way of promoting your excellent software. I was not 
> asking you to work on it your self, My thought was you might know 
> someone of your co-developers or helpers that is able to work on it a 
> little, or just contact Webmin developers and assist them (give them 
> pointers and tell them what to enhance) so that Shorewall module is 
> easier to work with.
We''ve had various people take over maintenance of the module only to
lose interest quickly. We don''t have anyone with the talent to maintain
the module and the interest in doing so :-(

Requests from end-users to the Webmin maintainer are always more
effective than those from other project maintainers; everyone would like
to have up-to-date Webmin modules for their product.
>> /etc/shorewall/init is intended for just this sort of thing. Adding
>> commands to that file is not ''tainting the
internals''.
> 
> You are right, I was not looking at the location of the file, sorry. I 
> assumed without reading that it''s rc.d init script. I guess
holiday
> atmosphere (Orthodox Easter) got me too relaxed.
:-)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep wrote:
> Ljubomir Ljubojevic wrote:
>> Tom Eastep wrote:
> 
>>> The attached patch to /usr/share/shorewall/Shorewall/Providers.pm
should
>>> prevent the startup failure. If the MAC of the remote gateway is
not
>>> detectable, the provider does not come up.
>> Does that means that it will never start or it will start after some 
>> period?
> 
> It means that Shorewall itself will start but it will not add either of
> the providers.
Note that you can do more sophisticated things than simply sleep; you
can attempt to ping the remote gateway and if that fails, you can sleep
and try again. These steps can be repeated if needed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep wrote:
> Ljubomir Ljubojevic wrote:
>> Tom Eastep wrote:
> 
>>> The attached patch to /usr/share/shorewall/Shorewall/Providers.pm
should
>>> prevent the startup failure. If the MAC of the remote gateway is
not
>>> detectable, the provider does not come up.
>> Does that means that it will never start or it will start after some 
>> period?
> 
> It means that Shorewall itself will start but it will not add either of
> the providers.
In this case it would be good to have shorewall set some kind of timer 
and then try to restore all the providers 1-2-5 minutes after the 
partial start. Or the config option to control that
behavior.
> 
> In my case not starting at all would cause that machine to be
>> without any routed network connection. I will test init delay in some 2
>> hours and if it works, then I will just use that option.
>> I never patched anything yet, so I will try to patch it but I am note 
>> sure I will test this on this unit before the thorough backup of
current
>> working system.
> 
> You must use the init delay, regardless of whether you apply the patch
> or not.
> 
>>> Maintenance of the Webmin module is outside of the Shorewall
project.
> 
>> It would be a good way of promoting your excellent software. I was not 
>> asking you to work on it your self, My thought was you might know 
>> someone of your co-developers or helpers that is able to work on it a 
>> little, or just contact Webmin developers and assist them (give them 
>> pointers and tell them what to enhance) so that Shorewall module is 
>> easier to work with.
> 
> We''ve had various people take over maintenance of the module only
to
> lose interest quickly. We don''t have anyone with the talent to
maintain
> the module and the interest in doing so :-(
> 
> Requests from end-users to the Webmin maintainer are always more
> effective than those from other project maintainers; everyone would like
> to have up-to-date Webmin modules for their product.
> 
I started compiling rpm''s some 1-2 months ago, and I have some 2-3 post
a day in average on StarV3 forums helping other members. Some 15 days 
ago I started joining few mailing lists like libvirt''s and yours and I 
am going to file my firs kernel bug with the Red Hat. Since I like to 
learn and enhance my knowledge, and would like to promote Linux in 
general, and of course leave my mark in the linux community,IF I find 
the time, I will see what I can do with Webmins module too. But no promises.
>>> /etc/shorewall/init is intended for just this sort of thing. Adding
>>> commands to that file is not ''tainting the
internals''.
>> You are right, I was not looking at the location of the file, sorry. I 
>> assumed without reading that it''s rc.d init script. I guess
holiday
>> atmosphere (Orthodox Easter) got me too relaxed.
> 
> :-)
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

I tested /etc/shorewall/init script and "sleep 15" does the job quite 
nicely for using bridge interfaces. I will avoid the patch for now and 
wait for source rpm or maybe even cook my one.

Thanks for all your help.
Ljubomir

Tom Eastep wrote:
> Tom Eastep wrote:
>> Ljubomir Ljubojevic wrote:
>>> Tom Eastep wrote:
>>>> The attached patch to
/usr/share/shorewall/Shorewall/Providers.pm should
>>>> prevent the startup failure. If the MAC of the remote gateway
is not
>>>> detectable, the provider does not come up.
>>> Does that means that it will never start or it will start after
some
>>> period?
>> It means that Shorewall itself will start but it will not add either of
>> the providers.
> 
> Note that you can do more sophisticated things than simply sleep; you
> can attempt to ping the remote gateway and if that fails, you can sleep
> and try again. These steps can be repeated if needed.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p