Shorewall users - Dec 2011 - params file in /etc/shorewall/puppet not read

Hello,

We have a problem since upraded shorewall from shorewall-4.0.15-1 to
shorewall-4.4.23.3-1 running on Centos 6.1.

The problem is that our own defined params file in
/etc/shorewall/puppet/params seems not to be read. Thus shorewall
complains about shell variables not being defined. This is strange
because all other files in /etc/shorewall/puppet (blacklist  hosts
interfaces  masq  nat    policy  providers  proxyarp  rfc1918
routestopped  rules  zones) seem to be read, though.

We defined in /etc/shorewall/shorewall.conf and
/usr/share/shorewall/configfile/shorewall.conf the CONFIG_PATH variable
as follows:

CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall

If I start shorewall with "shorewall debug start" I get:

Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
   WARNING: RFC1918_LOG_LEVEL=6 ignored. The ''norfc1918''
interface/host
option is no longer supported
Compiling /etc/shorewall/puppet/zones...
Compiling /etc/shorewall/puppet/interfaces...
   WARNING: Support for the norfc1918 interface option has been removed
from Shorewall : /etc/shorewall/puppet/interfaces (line 11)
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /etc/shorewall/puppet/policy...
   ERROR: Undefined shell variable ($LOG) : /etc/shorewall/puppet/policy
(line 17)

There I see that only /etc/shorewall/params is read.

If I make a soft link "params" poiting to /etc/shorewall/puppet/params
shorewall starts fine.

Strange as well is, if a I do:

strace -o /tmp/shorewall.out shorewall start

I see following entries in /tmp/shorewall.out:

read(3, "/etc/shorewall/puppet/params\n", 128) = 29
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 5425
wait4(-1, 0x7fff5d5e739c, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigreturn(0xffffffffffffffff)        = 29
read(3, "", 128)                        = 0
close(3)                                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x43d210, [], SA_RESTORER, 0x39fe832a20},
{SIG_DFL, [], SA_RESTORER, 0x39fe832a20}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x39fe832a20},
{0x43d210, [], SA_RESTORER, 0x39fe832a20}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
stat("/etc/shorewall/puppet/params", {st_mode=S_IFREG|0600,
st_size=1828, ...}) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
open("/etc/shorewall/puppet/params", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0600, st_size=1828, ...}) = 0
read(3, "#\n# Shorewall version 3.4 - Para"..., 1828) = 1828
close(3)                                = 0

showing  /etc/shorewall/puppet/params is read???

Does anybody can help me with that, because I dont like
the soft link solution....


The command:

"shorewall show config"

gives me following output:

Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
Default VARDIR is /var/lib/shorewall
LIBEXEC is /usr/libexec


Attached you find the output of:

/sbin/shorewall trace start 2> /tmp/trace


Thanks for any help in advance.

cheers
peter

-- 
Peter Mumenthaler
Linux System-Ingenieur

Puzzle ITC GmbH
www.puzzle.ch

Telefon +41 31 370 22 00
Direkt +41 31 370 22 34
Mobile +41 78 892 84 86
Fax +41 31 370 22 01

Werfen Sie einen Blick in unseren Blog:
<http://www.puzzle.ch/blog>


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Fri, 2011-12-02 at 10:01 +0100, Peter Mumenthaler
wrote:
> Hello,
> 
> We have a problem since upraded shorewall from shorewall-4.0.15-1 to
> shorewall-4.4.23.3-1 running on Centos 6.1.
> 
> The problem is that our own defined params file in
> /etc/shorewall/puppet/params seems not to be read. Thus shorewall
> complains about shell variables not being defined. This is strange
> because all other files in /etc/shorewall/puppet (blacklist  hosts
> interfaces  masq  nat    policy  providers  proxyarp  rfc1918
> routestopped  rules  zones) seem to be read, though.
> 
> We defined in /etc/shorewall/shorewall.conf and
> /usr/share/shorewall/configfile/shorewall.conf the CONFIG_PATH variable
> as follows:
> 
> CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
As a workaround, you can move that line toward the top of the file,
before any reference to a variable in params. I''ll work on a fix.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Dec 2, 2011, at 6:31 AM, Tom Eastep wrote:
> On Fri, 2011-12-02 at 10:01 +0100, Peter Mumenthaler wrote:
>> Hello,
>> 
>> We have a problem since upraded shorewall from shorewall-4.0.15-1 to
>> shorewall-4.4.23.3-1 running on Centos 6.1.
>> 
>> The problem is that our own defined params file in
>> /etc/shorewall/puppet/params seems not to be read. Thus shorewall
>> complains about shell variables not being defined. This is strange
>> because all other files in /etc/shorewall/puppet (blacklist  hosts
>> interfaces  masq  nat    policy  providers  proxyarp  rfc1918
>> routestopped  rules  zones) seem to be read, though.
>> 
>> We defined in /etc/shorewall/shorewall.conf and
>> /usr/share/shorewall/configfile/shorewall.conf the CONFIG_PATH variable
>> as follows:
>> 
>> CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall
> 
> As a workaround, you can move that line toward the top of the file,
> before any reference to a variable in params. I''ll work on a fix.

As I devised a fix for this problem, I realized that the above advice
doesn''t solve the problem. At any rate, the defect is corrected in
Shorewall 4.4.26 which was released yesterday.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d