My shorewall init script has a conditional block on $COMMAND = start and it wipes out all my existing ipsets (flushes them first) with ''ipset -F'' and ''ipset -X'' and then reloads them from a predefined script. That''s all well and good, but when I do ''service shorewall reload'' it does not pass ''reload'' to the init script, but executes it twice, passing ''stop'' and then ''start'' which completely screws up my system as I use the ''reload'' to test dynamically loaded sets without having to reboot the whole system. Could that be fixed so that my init script knows it is a reload (or restart) and not just stop/start? ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/29/10 4:07 PM, Mr Dash Four wrote:> My shorewall init script has a conditional block on $COMMAND = start and > it wipes out all my existing ipsets (flushes them first) with ''ipset -F'' > and ''ipset -X'' and then reloads them from a predefined script. > > That''s all well and good, but when I do ''service shorewall reload'' it > does not pass ''reload'' to the init script, but executes it twice, > passing ''stop'' and then ''start'' which completely screws up my system as > I use the ''reload'' to test dynamically loaded sets without having to > reboot the whole system. > > Could that be fixed so that my init script knows it is a reload (or > restart) and not just stop/start?What do you mean by ''init script''? Do you mean /etc/init.d/shorewall or do you mean /etc/shorewall/init? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> What do you mean by ''init script''? Do you mean /etc/init.d/shorewall or > do you mean /etc/shorewall/init? >/etc/shorewall/init (it relies on "$COMMAND" = start to do its job) ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/29/10 4:29 PM, Mr Dash Four wrote:> >> What do you mean by ''init script''? Do you mean /etc/init.d/shorewall or >> do you mean /etc/shorewall/init? >> > /etc/shorewall/init (it relies on "$COMMAND" = start to do its job)Then is sounds like /etc/init.d/shorewall is generating ''/sbin/shorewall stop; /sbin/shorewall start'' for the ''reload'' command. So /etc/shorewall/init will be invoked twice; once with $COMMAND=stop and once with $COMMAND=start. That''s the way it works and there is nothing to ''fix''. Note that to execute the sequence of ipset commands that you want to execute, Shorewall must be in the stopped state. So the above sequence is appropriate if you want to reload your ipsets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> Then is sounds like /etc/init.d/shorewall is generating ''/sbin/shorewall > stop; /sbin/shorewall start'' for the ''reload'' command. So > /etc/shorewall/init will be invoked twice; once with $COMMAND=stop and > once with $COMMAND=start. That''s the way it works and there is nothing > to ''fix''. >/etc/init.d/shorewall: restart() { # Note that we don''t simply stop and start since shorewall has a built in # restart which stops the firewall if running and then starts it. echo -n $"Restarting Shorewall: " $shorewall $OPTIONS restart $config_file_dir 2>&1 | $logger retval=${PIPESTATUS[0]} if [[ $retval == 0 ]]; then touch $lockfile success else # Failed to start, clean up lock file if present rm -f $lockfile failure fi echo return $retval } ... restart|reload|force-reload) restart ;;> Note that to execute the sequence of ipset commands that you want to > execute, Shorewall must be in the stopped state. So the above sequence > is appropriate if you want to reload your ipsets. >Nope, you''ve lost me. I do NOT want the sequence in the init file to be executed when I am issuing ''reload'' or ''restart'' (in other words, ''stop'' and then ''start'' to be passed to my init file) as the ipsets are already loaded (and I have created new ones from the command line). ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/29/10 4:52 PM, Mr Dash Four wrote:> >> Then is sounds like /etc/init.d/shorewall is generating ''/sbin/shorewall >> stop; /sbin/shorewall start'' for the ''reload'' command. So >> /etc/shorewall/init will be invoked twice; once with $COMMAND=stop and >> once with $COMMAND=start. That''s the way it works and there is nothing >> to ''fix''. >> > /etc/init.d/shorewall: > > restart() { > # Note that we don''t simply stop and start since shorewall has a built in > # restart which stops the firewall if running and then starts it. > echo -n $"Restarting Shorewall: " > $shorewall $OPTIONS restart $config_file_dir 2>&1 | $logger > retval=${PIPESTATUS[0]} > if [[ $retval == 0 ]]; then > touch $lockfile > success > else # Failed to start, clean up lock file if present > rm -f $lockfile > failure > fi > echo > return $retval > } > > > ... > > restart|reload|force-reload) > restart > ;; > > >> Note that to execute the sequence of ipset commands that you want to >> execute, Shorewall must be in the stopped state. So the above sequence >> is appropriate if you want to reload your ipsets. >> > Nope, you''ve lost me. I do NOT want the sequence in the init file to be > executed when I am issuing ''reload'' or ''restart'' (in other words, ''stop'' > and then ''start'' to be passed to my init file) as the ipsets are already > loaded (and I have created new ones from the command line).I have no idea what''s going on on your system. gateway:~# cat /etc/shorewall/init # # Shorewall version 4 - Init File # # /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### echo "Here is init with \$COMMAND=$COMMAND" gateway:~# shorewall -qq restart Here is init with $COMMAND=restart gateway:~# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/29/10 5:09 PM, Tom Eastep wrote:> I have no idea what''s going on on your system. > > gateway:~# cat /etc/shorewall/init > # > # Shorewall version 4 - Init File > # > # /etc/shorewall/init > # > # Add commands below that you want to be executed at the beginning of > # a "shorewall start" or "shorewall restart" command. > # > # For additional information, see > # http://shorewall.net/shorewall_extension_scripts.htm > # > ############################################################################### > echo "Here is init with \$COMMAND=$COMMAND" > > gateway:~# shorewall -qq restart > Here is init with $COMMAND=restart > gateway:~#Oh -- and: gateway:~# which shorewall /sbin/shorewall gateway:~# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> I have no idea what''s going on on your system. >This is all very strange. After being able to reload shorewall a couple of times (with NO errors, i.e. shorewall executing as it should), I changed my rules file a couple of times, then loaded a few ipsets I needed to test (see below) and amended the rules file again accordingly, tried to reload again and this happened (from my syslog): Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall... iptables-restore v1.4.7: Set tripple-set doesn''t exist. [tripple-set is my newly loaded set] <- ** see below Error occured at line: 118 Try ''iptables-restore -h'' bla bla bla ERROR: iptables-restore failed. Input is in /var/lib/shorewall/iptables-restore-input ERROR: Shorewall restart failed Shorewall stopped. At the same time I am getting my SELinux moaning (AVC) that it has prevented the shell (/bin/sh) from issuing a process signal (presumably TERM). **This error happens because ''stop/start'' has been passed to my /etc/shorewall/init file and ALL ipsets have been wiped out, including those I''ve just loaded and now iptables cannot find tripple-set, which forms part of my rules my ipsets were loaded from the command line with: ipset -N tripple-set ipportnethash --network 10.1.2.0/24 ipset -A tripple-set 10.1.2.7,22,10.1.1.1/24 then I amended the rules file to include this set as part of a (meaningless) rule: ACCEPT:info $FW:+tripple-set[src,dst,dst] And issued a reload. Again, it is worth noting that the error does NOT happen every time (I will spend some time tomorrow to see what triggers it), but it definitely happens! ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/29/10 5:52 PM, Mr Dash Four wrote:> >> I have no idea what''s going on on your system. >> > This is all very strange. After being able to reload shorewall a couple > of times (with NO errors, i.e. shorewall executing as it should), I > changed my rules file a couple of times, then loaded a few ipsets I > needed to test (see below) and amended the rules file again accordingly, > tried to reload again and this happened (from my syslog): > > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall... > iptables-restore v1.4.7: Set tripple-set doesn''t exist. [tripple-set is > my newly loaded set] <- ** see below > Error occured at line: 118 > Try ''iptables-restore -h'' bla bla bla > ERROR: iptables-restore failed. Input is in > /var/lib/shorewall/iptables-restore-input > ERROR: Shorewall restart failed> Shorewall stopped. <======At this point, Shorewall was stopped! That causes init to be invoked with $COMMAND=stop If you don''t like that, do ''/sbin/shorewall save'' with a good configuration. That will re-install that configuration rather than put the firewall in a safe configuration.> > At the same time I am getting my SELinux moaning (AVC) that it has > prevented the shell (/bin/sh) from issuing a process signal (presumably > TERM).Errors can be detected in a sub-shell so the Shorewall shell code tries to kill itself by ''kill $$''. Security zealots (including those in my division at HP) believe that sending a signal (even to yourself) is an evil thing that requires extensive vetting.> > **This error happens because ''stop/start'' has been passed to my > /etc/shorewall/init file and ALL ipsets have been wiped out, including > those I''ve just loaded and now iptables cannot find tripple-set, which > forms part of my rulesAgain ''stop was passed''.> > my ipsets were loaded from the command line with: > > ipset -N tripple-set ipportnethash --network 10.1.2.0/24 > ipset -A tripple-set 10.1.2.7,22,10.1.1.1/24Do you check the exit status of all commands? Are you *sure* what was executed? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
>> Shorewall stopped. <======>> > > At this point, Shorewall was stopped! That causes init to be invoked > with $COMMAND=stop >Ah, I see! So, if there is any error in my config files (rules, secmarks etc) running Shorewall gives up and stops and when I then execute ''service shorewall reload'' Shorewall starts (without a warning that I am not actually ''reloading'' but ''starting'') and it then goes to execute my /etc/shorewall/init with ''start'', right? I wasn''t aware of that behaviour.> If you don''t like that, do ''/sbin/shorewall save'' with a good > configuration. That will re-install that configuration rather than put > the firewall in a safe configuration. >Is there a more straight-forward solution, for example, if I am trying to reload/restart a running Shorewall and it sees that there is something wrong with its configuration not to just panic and stop, but to keep itself running or is that what ''shorewall save'' does? Is there a safe-restart (for Shorewall to save itself when starting and then if I try to reload/restart it with errors in its configuration files shorewall to just reload itself with its previous - saved - configuration)? If so, should I assume that Shorewall won''t execute my /etc/shorewall/init with ''start'' (and therefore wipe out my entire ipset configuration)?> Security zealots (including those in my > division at HP) believe that sending a signal (even to yourself) is an > evil thing that requires extensive vetting. >I don''t know about sending a signal to yourself, but sending the wrong signals to your young/pretty/attractive (delete or add as appropriate) colleagues is known to often cause problems and land you in hot water.>> my ipsets were loaded from the command line with: >> >> ipset -N tripple-set ipportnethash --network 10.1.2.0/24 >> ipset -A tripple-set 10.1.2.7,22,10.1.1.1/24 >> > > Do you check the exit status of all commands? Are you *sure* what was > executed? >Id did - I am absolutely certain it was executed as I issued ipset -L tripple-set afterwards and it was there. As it stands right now, even with the new version of xtables (1.29) I am unable to get *any* match on a triplet (ip-port-ip or ip-port-net) no matter what gimmicks I try... My only salvation (for the time being at least) is your new feature with combined ipset matches which, when I tried the last time, worked to absolute perfection. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/30/10 10:44 AM, Mr Dash Four wrote:> >>> Shorewall stopped. <======>>> >> >> At this point, Shorewall was stopped! That causes init to be invoked >> with $COMMAND=stop >> > Ah, I see! So, if there is any error in my config files (rules, secmarks > etc) running Shorewall gives up and stops and when I then execute > ''service shorewall reload'' Shorewall starts (without a warning that I am > not actually ''reloading'' but ''starting'') and it then goes to execute my > /etc/shorewall/init with ''start'', right? I wasn''t aware of that behaviour. > >> If you don''t like that, do ''/sbin/shorewall save'' with a good >> configuration. That will re-install that configuration rather than put >> the firewall in a safe configuration. >> > Is there a more straight-forward solution, for example, if I am trying > to reload/restart a running Shorewall and it sees that there is > something wrong with its configuration not to just panic and stop, but > to keep itself running or is that what ''shorewall save'' does?Shorewall only "panics and stops" if one of the critical commands (like iptables-restore) fails. If there is a current ''saved'' configuration, Shorewall attempts to restore that configuration. Otherwise, it performs the equivalent of ''shorewall stop''.> > Is there a safe-restart (for Shorewall to save itself when starting and > then if I try to reload/restart it with errors in its configuration > files shorewall to just reload itself with its previous - saved - > configuration)? If so, should I assume that Shorewall won''t execute my > /etc/shorewall/init with ''start'' (and therefore wipe out my entire ipset > configuration)?man shorewall and look for ''safe-restart''.> > >> Security zealots (including those in my >> division at HP) believe that sending a signal (even to yourself) is an >> evil thing that requires extensive vetting. >> > I don''t know about sending a signal to yourself, but sending the wrong > signals to your young/pretty/attractive (delete or add as appropriate) > colleagues is known to often cause problems and land you in hot water.:-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> man shorewall and look for ''safe-restart''. >shorewall safe-restart it is then, except, is there a way I could get away with the prompt and let shorewall decide if there were no errors to assume the new configuration, but if there were to automatically restore the old one (i.e. bypass the prompt and act intelligently)? If there were errors there is no way I could see them when I am prompted (as they are shown in the syslog). ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/30/10 11:50 AM, Mr Dash Four wrote:> >> man shorewall and look for ''safe-restart''. >> > shorewall safe-restart it is then, except, is there a way I could get > away with the prompt and let shorewall decide if there were no > errors to assume the new configuration, but if there were to > automatically restore the old one (i.e. bypass the prompt and act > intelligently)?shorewall save shorewall restart> If there were errors there is no way I could see them when I am > prompted (as they are shown in the syslog).Please try it before complaining about how you wrongly think it works. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> shorewall save > shorewall restart >That, to me, seems the best alternative and I amended my init.d script to replace the existing reload with the above two statements. It works and I like it. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev