Johannes Graumann
2010-Feb-01 22:30 UTC
Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Hello, I upgraded my debian testing shorewall installation from 4.4.5-1 to 4.4.6-1 from the repositories tonight. The upgrade involved a restart - which failed and keeps failing. I attach the trace as requested on shorewall.net and the iptables-restore-input involved in the failure message. Any insight into what might be going wrong? Thanks for any hints, Joh ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Tom Eastep
2010-Feb-01 22:42 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Johannes Graumann wrote:> Hello, > > I upgraded my debian testing shorewall installation from 4.4.5-1 to > 4.4.6-1 from the repositories tonight. The upgrade involved a restart > - which failed and keeps failing. I attach the trace as requested on > shorewall.net and the iptables-restore-input involved in the failure > message. Any insight into what might be going wrong? > > Thanks for any hints,What happens when you ''shorewall debug start'' ? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Johannes Graumann
2010-Feb-01 22:54 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Tom Eastep <teastep <at> shorewall.net> writes:> > Johannes Graumann wrote: > > Hello, > > > > I upgraded my debian testing shorewall installation from 4.4.5-1 to > > 4.4.6-1 from the repositories tonight. The upgrade involved a restart > > - which failed and keeps failing. I attach the trace as requested on > > shorewall.net and the iptables-restore-input involved in the failure > > message. Any insight into what might be going wrong? > > > > Thanks for any hints, > > What happens when you ''shorewall debug start'' ? > > -TomThe errow below shows up. Joh # shorewall debug start Compiling... Opening /proc/modules: No such file or directory Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Preprocessing Action Files... Compiling ... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Compiling /etc/shorewall/policy... Adding Anti-smurf Rules Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Compiling ... Processing /usr/share/shorewall/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Compiling iptables-restore input for chain mangle:... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Setting up Route Filtering... /var/lib/shorewall/.start: 2199: cannot create /proc/sys/net/ipv4/conf/all/rp_filter: Directory nonexistent /var/lib/shorewall/.start: 2199: cannot create /proc/sys/net/ipv4/conf/default/rp_filter: Directory nonexistent Cannot open "/proc/sys/net/ipv4/route/flush" Setting up Martian Logging... /var/lib/shorewall/.start: 2199: cannot create /proc/sys/net/ipv4/conf/all/log_martians: Directory nonexistent WARNING: Cannot set Martian logging on venet0 Setting up Traffic Control... Preparing iptables-restore input... Running debug_restore_input... iptables: No chain/target/match by that name. ERROR: Command "/sbin/iptables -A FORWARD -j MARK --set-mark 0" Failed Running debug_restore_input... Terminated ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Tom Eastep
2010-Feb-02 00:14 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
On Mon, 2010-02-01 at 22:54 +0000, Johannes Graumann wrote:> Tom Eastep <teastep <at> shorewall.net> writes: > > What happens when you ''shorewall debug start'' ? > > > > -Tom > > The errow below shows up. > ... > Running debug_restore_input... > iptables: No chain/target/match by that name. > ERROR: Command "/sbin/iptables -A FORWARD -j MARK --set-mark 0" Failed > Running debug_restore_input... > TerminatedLooks like your kernel doesn''t have MARK support. Please try the attached patch: patch /usr/share/shorewall/Shorewall/tc.pm < MARK.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Tom Eastep
2010-Feb-02 00:55 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
On Mon, 2010-02-01 at 16:14 -0800, Tom Eastep wrote:> On Mon, 2010-02-01 at 22:54 +0000, Johannes Graumann wrote: > > Tom Eastep <teastep <at> shorewall.net> writes: > > > What happens when you ''shorewall debug start'' ? > > > > > > -Tom > > > > The errow below shows up. > > ... > > Running debug_restore_input... > > iptables: No chain/target/match by that name. > > ERROR: Command "/sbin/iptables -A FORWARD -j MARK --set-mark 0" Failed > > Running debug_restore_input... > > Terminated > > Looks like your kernel doesn''t have MARK support. Please try the > attached patch: > > patch /usr/share/shorewall/Shorewall/tc.pm < MARK.diffOops. That should be: patch /usr/share/shorewall/Shorewall/Tc.pm < MARK.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Johannes Graumann
2010-Feb-02 06:57 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Tom Eastep <teastep <at> shorewall.net> writes:> > Looks like your kernel doesn''t have MARK support. Please try the > > attached patch: > > > > patch /usr/share/shorewall/Shorewall/tc.pm < MARK.diff > > Oops. That should be: > > patch /usr/share/shorewall/Shorewall/Tc.pm < MARK.diff >Thank you very much - my mailserver is back on track (and reachable), since shorewall starts again. I''ll get at the providers case with respect to MARK support. Joh ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Johannes Graumann
2010-Feb-02 20:47 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Johannes Graumann <johannes_graumann <at> web.de> writes:> > Tom Eastep <teastep <at> shorewall.net> writes: > > > > Looks like your kernel doesn''t have MARK support. Please try the > > > attached patch: > > > > > > patch /usr/share/shorewall/Shorewall/tc.pm < MARK.diff > > > > Oops. That should be: > > > > patch /usr/share/shorewall/Shorewall/Tc.pm < MARK.diff > > > Thank you very much - my mailserver is back on track (and reachable), > since shorewall starts again. I''ll get at the providers case with > respect to MARK support.What functionality do I loose by the way due to this? Will your patch go into the next release, or is it to much of a hack? ... just checking what to look out for if I can not convince the provider to include MARK support. Thanks for your opus magnum and the unbelievable support you offer with it! Joh ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Tom Eastep
2010-Feb-02 20:52 UTC
Re: Restart after upgrade from 4.4.5-1 to 4.4.6-1 on debian testing virtual server fails
Johannes Graumann wrote:> Johannes Graumann <johannes_graumann <at> web.de> writes: > >> Tom Eastep <teastep <at> shorewall.net> writes: >> >>>> Looks like your kernel doesn''t have MARK support. Please try the >>>> attached patch: >>>> >>>> patch /usr/share/shorewall/Shorewall/tc.pm < MARK.diff >>> Oops. That should be: >>> >>> patch /usr/share/shorewall/Shorewall/Tc.pm < MARK.diff >>> >> Thank you very much - my mailserver is back on track (and reachable), >> since shorewall starts again. I''ll get at the providers case with >> respect to MARK support. > > What functionality do I loose by the way due to this?You have no packet marking capability for traffic control or for policy routing.> > Will your patch go into the next releaseYes.> > Thanks for your opus magnum and the unbelievable support you offer with it!You are most welcome. 0Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com