Shorewall users - Jun 2011 - SLES11 SP1 - strange Shorewall behaviour on start

Hi all

Shorewall version 4.4.20.1 is behaving very strange on SLES11 SP1 with 
latest kernel, 2.6.32.36-0.5-pae.
Starts with no errors, but /etc/init.d/shorewall status returns:

Shorewall-4.4.20.1 Status at SERVER - Thu Jun  9 11:08:08 CEST 2011
Shorewall is stopped
State:Started (Thu Jun  9 11:07:47 CEST 2011) from /etc/shorewall/

Note Shorewall is stopped, State:Started

So I continue with init script:

/etc/init.d/shorewall stop
Stopping Shorewall....
done.

/etc/init.d/shorewall restart
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Starting Shorewall....
done.

/etc/init.d/shorewall restart
Compiling...
    ERROR: Your kernel/iptables do not include state match support. No 
version of Shorewall will run on this system

/etc/init.d/shorewall stop
Stopping Shorewall....
done.

/etc/init.d/shorewall start
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
done.

/etc/init.d/shorewall stop
Stopping Shorewall....
done.

shorewall debug start
... stops after Running debug_restore_input...

Need help, on SLES10, RHEL5 and few other distributions I have installed 
Shorewall it have been working perfectly so far. Can''t really explain 
what''s going on here.

Thanks, regards

Ivica Glavocic

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

Good morning,

Just to add a bit of mystery to the discussion, I am running SLES11 SP1 
on some IA64 machines (2.6.32.36-0.5-default #1 SMP).  Most are running 
version 4.4.11.1 with no problem so I just installed 4.4.20.1 on one and 
I do not see any problem, meaning shorewall starts, ''shorewall
status''
returns ''running'', a dump shows my (minimal) rules, etc.

I also tried playing with the optimization and could not get shorewall 
to fail.

If you need any information to compare, just shout.

Thanks.

Patrick



Ivica Glavocic wrote:
> Hi all
>
> Shorewall version 4.4.20.1 is behaving very strange on SLES11 SP1 with 
> latest kernel, 2.6.32.36-0.5-pae.
> Starts with no errors, but /etc/init.d/shorewall status returns:
>
> Shorewall-4.4.20.1 Status at SERVER - Thu Jun  9 11:08:08 CEST 2011
> Shorewall is stopped
> State:Started (Thu Jun  9 11:07:47 CEST 2011) from /etc/shorewall/
>
> Note Shorewall is stopped, State:Started
>
> So I continue with init script:
>
> /etc/init.d/shorewall stop
> Stopping Shorewall....
> done.
>
> /etc/init.d/shorewall restart
> Compiling...
> Shorewall configuration compiled to /var/lib/shorewall/.restart
> Starting Shorewall....
> done.
>
> /etc/init.d/shorewall restart
> Compiling...
>     ERROR: Your kernel/iptables do not include state match support. No 
> version of Shorewall will run on this system
>
> /etc/init.d/shorewall stop
> Stopping Shorewall....
> done.
>
> /etc/init.d/shorewall start
> Compiling...
> Shorewall configuration compiled to /var/lib/shorewall/.start
> Starting Shorewall....
> done.
>
> /etc/init.d/shorewall stop
> Stopping Shorewall....
> done.
>
> shorewall debug start
> ... stops after Running debug_restore_input...
>
> Need help, on SLES10, RHEL5 and few other distributions I have installed 
> Shorewall it have been working perfectly so far. Can''t really
explain
> what''s going on here.
>
> Thanks, regards
>
> Ivica Glavocic
>
>
------------------------------------------------------------------------------
> EditLive Enterprise is the world''s most technically advanced
content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
Pav. Roger-Gaudry, X-205 Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
   mcneilp@paget.dgtic.umontreal.ca


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

Maybe this is relevant: SLES11 SP1 is installed on HP Proliant DL320 G3 
server with "fakeraid" controller, 2 x 80 GB disks in mirror? It is 
fully patched online with valid Novell licence.
Thanks, regards
Ivica

On 9.6.2011 16:14, Patrick McNeil wrote:
> Good morning,
>
> Just to add a bit of mystery to the discussion, I am running SLES11 
> SP1 on some IA64 machines (2.6.32.36-0.5-default #1 SMP).  Most are 
> running version 4.4.11.1 with no problem so I just installed 4.4.20.1 
> on one and I do not see any problem, meaning shorewall starts, 
> ''shorewall status'' returns ''running'', a
dump shows my (minimal) rules,
> etc.
>
> I also tried playing with the optimization and could not get shorewall 
> to fail.
>
> If you need any information to compare, just shout.
>
> Thanks.
>
> Patrick
>
>
>
> Ivica Glavocic wrote:
>> Hi all
>>
>> Shorewall version 4.4.20.1 is behaving very strange on SLES11 SP1 
>> with latest kernel, 2.6.32.36-0.5-pae.
>> Starts with no errors, but /etc/init.d/shorewall status returns:
>>
>> Shorewall-4.4.20.1 Status at SERVER - Thu Jun  9 11:08:08 CEST 2011
>> Shorewall is stopped
>> State:Started (Thu Jun  9 11:07:47 CEST 2011) from /etc/shorewall/
>>
>> Note Shorewall is stopped, State:Started
>>
>> So I continue with init script:
>>
>> /etc/init.d/shorewall stop
>> Stopping Shorewall....
>> done.
>>
>> /etc/init.d/shorewall restart
>> Compiling...
>> Shorewall configuration compiled to /var/lib/shorewall/.restart
>> Starting Shorewall....
>> done.
>>
>> /etc/init.d/shorewall restart
>> Compiling...
>>     ERROR: Your kernel/iptables do not include state match support. 
>> No version of Shorewall will run on this system
>>
>> /etc/init.d/shorewall stop
>> Stopping Shorewall....
>> done.
>>
>> /etc/init.d/shorewall start
>> Compiling...
>> Shorewall configuration compiled to /var/lib/shorewall/.start
>> Starting Shorewall....
>> done.
>>
>> /etc/init.d/shorewall stop
>> Stopping Shorewall....
>> done.
>>
>> shorewall debug start
>> ... stops after Running debug_restore_input...
>>
>> Need help, on SLES10, RHEL5 and few other distributions I have 
>> installed Shorewall it have been working perfectly so far.
Can''t
>> really explain what''s going on here.
>>
>> Thanks, regards
>>
>> Ivica Glavocic
>>
>>
------------------------------------------------------------------------------
>>
>> EditLive Enterprise is the world''s most technically advanced
content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 06/09/2011 08:31 AM, Ivica Glavocic wrote:
> Maybe this is relevant: SLES11 SP1 is installed on HP Proliant DL320 G3 
> server with "fakeraid" controller, 2 x 80 GB disks in mirror? It
is
> fully patched online with valid Novell licence.
Just to confirm, Shorewall was installed from SuSE RPMs?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 9.6.2011 19:36, Tom Eastep wrote:
> On 06/09/2011 08:31 AM, Ivica Glavocic wrote:
>> Maybe this is relevant: SLES11 SP1 is installed on HP Proliant DL320 G3
>> server with "fakeraid" controller, 2 x 80 GB disks in mirror?
It is
>> fully patched online with valid Novell licence.
> Just to confirm, Shorewall was installed from SuSE RPMs?
>
> Thanks,
> -Tom
Nope, Shorewall was installed as rpm from shorewall.net
wget 
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.20/shorewall-4.4.20-1.noarch.rpm
rpm -Ivh shorewall-4.4.20-1.noarch.rpm

Just installed SLES10 SP4 on same server with RAID turned off in BIOS, 
installation on single SATA disc without updates from Novell. Shorewall 
installed same way, works OK.

Thanks, regards
Ivica

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 06/09/2011 10:45 AM, Ivica Glavocic wrote:
> On 9.6.2011 19:36, Tom Eastep wrote:
>> On 06/09/2011 08:31 AM, Ivica Glavocic wrote:
>>> Maybe this is relevant: SLES11 SP1 is installed on HP Proliant
DL320 G3
>>> server with "fakeraid" controller, 2 x 80 GB disks in
mirror? It is
>>> fully patched online with valid Novell licence.
>> Just to confirm, Shorewall was installed from SuSE RPMs?
>>
>> Thanks,
>> -Tom
> Nope, Shorewall was installed as rpm from shorewall.net
> wget
>
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.20/shorewall-4.4.20-1.noarch.rpm
> 
> rpm -Ivh shorewall-4.4.20-1.noarch.rpm
> 
> Just installed SLES10 SP4 on same server with RAID turned off in BIOS,
> installation on single SATA disc without updates from Novell. Shorewall
> installed same way, works OK.
Thanks for the update.

I looked at the generated ruleset from the tarball you sent and saw no
differences that would cause what you were seeing previously. Hard to
see how the OS would cause that problem either though

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 9.6.2011 20:25, Tom Eastep wrote:
> On 06/09/2011 10:45 AM, Ivica Glavocic wrote:
>> On 9.6.2011 19:36, Tom Eastep wrote:
>>> On 06/09/2011 08:31 AM, Ivica Glavocic wrote:
>>>> Maybe this is relevant: SLES11 SP1 is installed on HP Proliant
DL320 G3
>>>> server with "fakeraid" controller, 2 x 80 GB disks in
mirror? It is
>>>> fully patched online with valid Novell licence.
>>> Just to confirm, Shorewall was installed from SuSE RPMs?
>>>
>>> Thanks,
>>> -Tom
>> Nope, Shorewall was installed as rpm from shorewall.net
>> wget
>>
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.20/shorewall-4.4.20-1.noarch.rpm
>>
>> rpm -Ivh shorewall-4.4.20-1.noarch.rpm
>>
>> Just installed SLES10 SP4 on same server with RAID turned off in BIOS,
>> installation on single SATA disc without updates from Novell. Shorewall
>> installed same way, works OK.
> Thanks for the update.
>
> I looked at the generated ruleset from the tarball you sent and saw no
> differences that would cause what you were seeing previously. Hard to
> see how the OS would cause that problem either though
>
> -Tom
I just compared shorewall show -f capabilities on SLES10 and SLES11, 
differences are:

SLES10

NEW_CONNTRACK_MATCHKLUDGEFREEEXMARKOLD_HL_MATCH=Yes
CONNLIMIT_MATCHTIME_MATCHPERSISTENT_SNATFLOW_FILTERFWMARK_RT_MASKMARK_ANYWHEREKERNELVERSION=20616

SLES11

NEW_CONNTRACK_MATCH=Yes
KLUDGEFREE=Yes
EXMARK=Yes
OLD_HL_MATCHCONNLIMIT_MATCH=Yes
TIME_MATCH=Yes
PERSISTENT_SNAT=Yes
FLOW_FILTER=Yes
FWMARK_RT_MASK=Yes
MARK_ANYWHERE=Yes
KERNELVERSION=20632

Can you conclude anything from this?

Thanks, regards

Ivica

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 06/09/2011 11:37 AM, Ivica Glavocic wrote:
>>> Nope, Shorewall was installed as rpm from shorewall.net
>>> wget
>>>
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.20/shorewall-4.4.20-1.noarch.rpm
>>>
>>>
>>> rpm -Ivh shorewall-4.4.20-1.noarch.rpm
I would also be interested to know if 4.4.19.4 behaves the same way
under SLES11.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 10.6.2011 15:26, Tom Eastep wrote:
> On 06/09/2011 11:37 AM, Ivica Glavocic wrote:
>
>>>> Nope, Shorewall was installed as rpm from shorewall.net
>>>> wget
>>>>
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.20/shorewall-4.4.20-1.noarch.rpm
>>>>
>>>>
>>>> rpm -Ivh shorewall-4.4.20-1.noarch.rpm
> I would also be interested to know if 4.4.19.4 behaves the same way
> under SLES11.
>
> -Tom
Didn''t try 4.4.19.4 but tried older version 4.4.2.2, behaviour was the
same.

I gave up on SLES11 since Shorewall have to go live on HP machine as 
soon as possible, so now Shorewall 4.4.20.1 is working without problems 
on SLES10 SP4 with latest updates and it will stay that way in the future.

Looks like in my case it is SLES11 issue after all, can''t figure out 
why, maybe it''s result of hardware/OS combination, unfortunatelly I
have
no time to test it any more.

Thanks, regards
Ivica

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev