Vincent Danjean
2009-Oct-23 17:50 UTC
shorewall6: multiple providers generate errors at compile-time
[resent with attachment gziped as the first ungziped was too big for the list] Hi, As asked by the Debian maintainer of shorewall6, I''m submitting my problem on this mailing list. My problem comes from wanting to use two 6to4 tunnels at the same time (ie multi ISP with shorewall6). I let the initial bug report to Debian below (it can also be seen at http://bugs.debian.org/551950 ). It explains that I think that detect_configuration() is never called. Here is also the full log of a start (/tmp/trace attached in gzip form): kooot:/etc/shorewall6# shorewall6 trace start 2> /tmp/trace Compiling... Compiling /etc/shorewall6/zones... Compiling /etc/shorewall6/interfaces... Determining Hosts in Zones... Preprocessing Action Files... doing ... Pre-processing /usr/share/shorewall6/action.AllowICMPs... Pre-processing /usr/share/shorewall6/action.Drop... Pre-processing /usr/share/shorewall6/action.Reject... Compiling /etc/shorewall6/policy... Adding rules for DHCP Compiling TCP Flags filtering... Compiling /etc/shorewall6/providers... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall6/rules... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... Compiling ... Processing /usr/share/shorewall6/action.Reject for chain Reject... Processing /usr/share/shorewall6/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating ip6tables-restore input... Compiling iptables-restore input for chain mangle:... Compiling /etc/shorewall6/routestopped... Shorewall configuration compiled to /var/lib/shorewall6/.start Starting Shorewall6.... Initializing... Adding Providers... Restoring Shorewall6... Initializing... IPv6 Forwarding Enabled Shorewall6 restored from /var/lib/shorewall6/restore kooot:/etc/shorewall6# Regards Vincent PS: if I manually execute the commands in detect_configuration, I get the correct IP. If I call this function at the begining of the script (and run it manually), then this error disappears (but I''m not sure this function should always been invoked) PPS: you might want to know that the iproute bug #551937 (http://bugs.debian.org/551937) also prevent Multi IPv6 ISP from working. And http://lists.debian.org/debian-devel/2009/10/msg00472.html show yet another problem (but I do not know yet if the latter is a shorewall6 bug or another package bug) Roberto C. Sánchez wrote:> Vincent, > > I do not have any experience with a configuration like you are > attempting. Please take your question to the mailing list > (shorewall-users@lists.sourceforge.net). Someone there will > almost certainly be able to help. > > My apologies for not being able to offer more assistance. > > Regards, > > -Roberto > > On Thu, Oct 22, 2009 at 01:51:46AM +0200, Vincent Danjean wrote: >> Package: shorewall6 >> Version: 4.4.2-1 >> Severity: normal >> >> Hi, >> >> I''m trying to setup a router with ipv6. >> >> I''ve two ipv6 tunnels (one 6to4 tunnel and one from sixxs). So I tried >> to setup shorewall6 with two providers ( http://shorewall.net/MultiISP.html ). >> >> I ran into a problem at compile-time: >> >> /etc/shorewall6# make >> Shorewall6 isn''t started >> Compiling... >> Shorewall configuration compiled to /var/lib/shorewall6/.restart >> Restarting Shorewall6.... >> Error: an inet address is expected rather than "dev". >> ERROR: Command "ip -6 route replace ::c058:6301 src dev tun6to4 table 1" Failed >> Restoring Shorewall6... >> Shorewall6 restored from /var/lib/shorewall6/restore >> /sbin/shorewall6: line 604: 15240 Complété $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart >> /etc/shorewall6# >> >> Looking into /var/lib/shorewall6/.restart, I found: >> # cat /var/lib/shorewall6/.restart | grep -- "route replace" >> qt $IP -6 route replace $default_route && \ >> run_ip route replace ::c058:6301 src $TUN6TO4_ADDRESS dev tun6to4 table 1 >> run_ip route replace 2a01:XXXX:XXXX:XXXX::1 src $SIXXS_ADDRESS dev sixxs table 2 >> So it seems that $TUN6TO4_ADDRESS is empty. >> TUN6TO4_ADDRESS is defined in the detect_configuration function that seems never called: >> # cat /var/lib/shorewall6/.restart | grep -- "detect_configuration" >> detect_configuration() >> # >> >> Regards, >> Vincent >> >> PS: if I manually execute the commands in detect_configuration, I get the correct IP. >> If I call this function at the begining of the script (and run it manually), then >> this error disappairs (but I''m not sure this function should always been invoked) >> >> PPS: you might want to know that the iproute bug #551937 also prevent Multi IPv6 ISP >> from working. And http://lists.debian.org/debian-devel/2009/10/msg00472.html >> show yet another problem (but I do not know yet if the latter is a shorewall6 >> bug or not) >> >> >> -- System Information: >> Debian Release: squeeze/sid >> APT prefers oldstable >> APT policy: (500, ''oldstable''), (500, ''unstable''), (500, ''testing''), (500, ''stable''), (1, ''experimental'') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 2.6.31-trunk-amd64 (SMP w/2 CPU cores) >> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/bash >> >> Versions of packages shorewall6 depends on: >> ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy >> ii iproute 20090324-1 networking and traffic control too >> ii iptables 1.4.4-2 administration tools for packet fi >> ii shorewall 4.4.2-1 Shoreline Firewall, netfilter conf >> >> shorewall6 recommends no packages. >> >> Versions of packages shorewall6 suggests: >> ii 2.6.26-19 Linux 2.6.26 image on AMD64 >> ii 2.6.30-8 Linux 2.6.30 image on AMD64 >> ii 2.6.31~rc6-1~experimental.1~snapshot Linux 2.6.31-rc6 image on AMD64 >> ii 2.6.31-1~experimental.2 Linux 2.6.31 for 64-bit PCs >> ii 3.81-6 An utility for Directing compilati >> ii 4.4.2-1 documentation for Shoreline Firewa >> >> -- debconf information: >> shorewall6/major_release: >> shorewall6/dont_restart: >> shorewall6/invalid_config: >> >> >-- Vincent Danjean Adresse: Laboratoire d''Informatique de Grenoble Téléphone: +33 4 76 61 20 11 ENSIMAG - antenne de Montbonnot Fax: +33 4 76 61 20 99 ZIRST 51, avenue Jean Kuntzmann Email: Vincent.Danjean@imag.fr 38330 Montbonnot Saint Martin ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep
2009-Oct-23 18:32 UTC
Re: shorewall6: multiple providers generate errors at compile-time
Vincent Danjean wrote:> I let the initial bug report to Debian below (it can also be seen at > http://bugs.debian.org/551950 ). It explains that I think that > detect_configuration() is never called.Attached is an updated copy of /usr/share/shorewall/Perl/prog.footer6 that should correct that problem.> > PPS: you might want to know that the iproute bug #551937 (http://bugs.debian.org/551937) > also prevent Multi IPv6 ISP from working. > And http://lists.debian.org/debian-devel/2009/10/msg00472.html show yet another problem > (but I do not know yet if the latter is a shorewall6 bug or another package bug)Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Vincent Danjean
2009-Oct-23 19:59 UTC
Bug#551950: [Shorewall-users] shorewall6: multiple providers generate errors at compile-time
tag 551950 +patch,upstream,fixed-upstream thanks Tom Eastep wrote:> Vincent Danjean wrote: > >> I let the initial bug report to Debian below (it can also be seen at >> http://bugs.debian.org/551950 ). It explains that I think that >> detect_configuration() is never called. > > Attached is an updated copy of /usr/share/shorewall/Perl/prog.footer6 > that should correct that problem.Thanks. After diffing the file and the one on my system, I only take the lines with detect_configuration (your file also delete all function definition that you move to prog.header6 according to you git history). I put the patch I applied in attachment for the debian bug. This solve this bug (but I''m stopped by the next one, see below)>> PPS: you might want to know that the iproute bug #551937 (http://bugs.debian.org/551937) >> also prevent Multi IPv6 ISP from working. >> And http://lists.debian.org/debian-devel/2009/10/msg00472.html show yet another problem >> (but I do not know yet if the latter is a shorewall6 bug or another package bug)For the last bug, looking at ifupdown sources, it seems that the bug (adding via ::) comes from either the ''ip'' command or the kernel. Or this is not a bug and shorewall6 should take care of this syntax. You can try on any host: eyak:~# ip -6 route ls dev tun6to4 Cannot find device "tun6to4" eyak:~# ip tunnel add tun6to4 mode sit remote 192.88.99.1 local 192.168.0.1 eyak:~# ip -6 route ls dev tun6to4 eyak:~# ip link set tun6to4 up eyak:~# ip -6 route ls dev tun6to4 fe80::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# ip addr add 2002:0101:0101::1/64 dev tun6to4 eyak:~# ip -6 route ls dev tun6to4 2002:101:101::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 fe80::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# You can see that all route added by ip due to other commands (ie not "ip route") lead to a route with "via ::". I''m under the impression that these routes are added automatically by the kernel, not by the ip utility itself. So, I do not know how you want to deal with this (and I do not know IPv6 in linux enough to know the right answer here). A workaround is to add something like "|sed ''s/ via :: / /''" when you get the routes. But I do not know if all "via ::" can really be suppressed in routes. Regards, Vincent> Thanks, > -TomSome more tests to see the difference between routes automatically added and route manually added (I''m not able to interpret the results I get, I just see the differences): eyak:~# cat /proc/net/ipv6_route | grep tun6to4 20020101010100000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00200001 tun6to4 fe800000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00200001 tun6to4 ff000000000000000000000000000000 08 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00000001 tun6to4 eyak:~# ip -6 route ls dev tun6to4 2002:101:101::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 fe80::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# ip -6 route del 2002:101:101::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# ip -6 route add 2002:101:101::/64 via :: dev tun6to4 proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 RTNETLINK answers: Invalid argument eyak:~# ip -6 route add 2002:101:101::/64 dev tun6to4 proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# cat /proc/net/ipv6_route | grep tun6to4 20020101010100000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00000001 tun6to4 fe800000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00200001 tun6to4 ff000000000000000000000000000000 08 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00000001 tun6to4 eyak:~# ip -6 route add 2002:101:101::/64 dev tun6to4 via 2002:101:101::3 proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 eyak:~# cat /proc/net/ipv6_route | grep tun6to4 20020101010100000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000001 00000001 tun6to4 20020101010100000000000000000000 40 00000000000000000000000000000000 00 20020101010100000000000000000003 00000100 00000000 00000000 00000003 tun6to4 fe800000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00200001 tun6to4 ff000000000000000000000000000000 08 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000000 00000000 00000001 tun6to4 eyak:~# -- Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pacakges: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main
Tom Eastep
2009-Oct-23 20:23 UTC
Re: shorewall6: multiple providers generate errors at compile-time
Vincent Danjean wrote:> And http://lists.debian.org/debian-devel/2009/10/msg00472.html show yet another problem > (but I do not know yet if the latter is a shorewall6 bug or another package bug)I believe that ip should not be returning the ''via ::''. That would be the equivalent of returning ''via 0.0.0.0'' on an IPv4 net route''. The attached hack to /usr/share/shorewall/Shorewall/Providers should help until iproute is fixed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference