Hi, I have a machine with a Debian Stable installation that runs OpenVSwitch to connect a virtual machine on the same box. The machine is also running shorewall. The problem that I''m having is that shorewall try to run before openvswitch, this makes that shorewall fails because it can''t determine the IP of the virtual interface generated by openvswitch that start after shorewall. I think that if I change the priority of the openvswitch at start up and make it start before shorewall thet problem should be fixed, but I don''t know if that is the correct solution :-) Please help. Greetings and thanks for all. Ernesto ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Mon, Apr 15, 2013 at 04:37:02PM -0300, Ernesto Domato wrote:> > The problem that I''m having is that shorewall try to run before > openvswitch, this makes that shorewall fails because it can''t > determine the IP of the virtual interface generated by openvswitch > that start after shorewall. >I am not familiar with OpenVSwitch, but I have all sorts of VPN interfaces filtered by Shorewall, and the fact that they are not there at boot time has never been an issue. Can you provide some specific hints about your configuration? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
Ernesto Domato wrote:>Hi, I have a machine with a Debian Stable installation that runs >OpenVSwitch to connect a virtual machine on the same box. > >The machine is also running shorewall. > >The problem that I''m having is that shorewall try to run before >openvswitch, this makes that shorewall fails because it can''t >determine the IP of the virtual interface generated by openvswitch >that start after shorewall. > >I think that if I change the priority of the openvswitch at start up >and make it start before shorewall thet problem should be fixed, but I >don''t know if that is the correct solution :-)Yes, that is the correct solution. If you look at the top of the scripts in /etc/init.d, you''ll see the section : ### BEGIN INIT INFO #Provides: shorewall #Required-Start: $network $remote_fs #Required-Stop: $network $remote_fs #Default-Start: S # Default-Stop: 0 6 #Short-Description: Configure the firewall at boot time # Description: Configure the firewall according to the rules specified in # /etc/shorewall ### END INIT INFO Check what service nameOpenVSwitch provides, and add that to the Required-Start (and Required-Stop ?) section of Shorewall. Then you may need to runupdate-rc.d, but that''s sort of outside my experience level and might not be required if you''re using dependency based booting. Anyway, editing the init script like this tells the system that you need OpenVSwitch started before Shorewall - after that, in legacy mode you need to update the symlinks in /etc/rc<n>.d to set the order, and in dependency mode I suspect it''s determined on the fly at boot time. In legacy mode, just changing the name of the symlink will alter the boot order, but may be stomped on next time anything does an update on them. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Mon, Apr 15, 2013 at 4:53 PM, Roberto C. Sánchez <roberto@connexer.com> wrote:> I am not familiar with OpenVSwitch, but I have all sorts of VPN > interfaces filtered by Shorewall, and the fact that they are not there > at boot time has never been an issue. Can you provide some specific > hints about your configuration? >Ok, I''m trying to construct a transparent proxy running on a virtual machine inside the shorewall firewall. The virtual machine is connected to the firewall through a virtual interface attached to the virtual switch created by OpenVSwitch. On the shorewal interface file, I configured the one associated to the virtual switch configured on the firewall in this way: #ZONE INTERFACE BROADCAST OPTIONS kvm ovsbr0 detect routeback,logmartians,nosmurfs,routefilter,tcpflags and at startup, shorewall fails with: ERROR: Can''t determine the IP address of ovsbr0 which I presume is happening because OVS starts and create the ovsbr0 interface after shorewall starts. Thanks. Ernesto ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Tue, Apr 16, 2013 at 6:06 AM, Simon Hobson <linux@thehobsons.co.uk> wrote:> Ernesto Domato wrote: >>I think that if I change the priority of the openvswitch at start up >>and make it start before shorewall thet problem should be fixed, but I >>don''t know if that is the correct solution :-) > > Yes, that is the correct solution. > If you look at the top of the scripts in /etc/init.d, you''ll see the section : > ### BEGIN INIT INFO > #Provides: shorewall > #Required-Start: $network $remote_fs > #Required-Stop: $network $remote_fs > #Default-Start: S > # Default-Stop: 0 6 > #Short-Description: Configure the firewall at boot time > # Description: Configure the firewall according to the rules specified in > # /etc/shorewall > ### END INIT INFO > > Check what service nameOpenVSwitch provides, and add that to the Required-Start (and Required-Stop ?) section of Shorewall. Then you may need to runupdate-rc.d, but that''s sort of outside my experience level and might not be required if you''re using dependency based booting. Anyway, editing the init script like this tells the system that you need OpenVSwitch started before Shorewall - after that, in legacy mode you need to update the symlinks in /etc/rc<n>.d to set the order, and in dependency mode I suspect it''s determined on the fly at boot time. > In legacy mode, just changing the name of the symlink will alter the boot order, but may be stomped on next time anything does an update on them. >Ok, I''ll do this and will discuss with the Debian developers responsible of the packaging of shorewall and openvswitch to agree on the change in priority between both packages so this could be fixed. Thanks. Ernesto ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Tue, Apr 16, 2013 at 12:06 PM, Ernesto Domato <edomat@gmail.com> wrote:> Ok, I''ll do this and will discuss with the Debian developers > responsible of the packaging of shorewall and openvswitch to agree on > the change in priority between both packages so this could be fixed. >Meanwhile, another question :-) I don''t know if I''m right or wrong, but could shorewall-init help me solve this problem too?. Does shorewall-init works for dynamic interfaces creation? Thanks. Ernesto ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Tue, Apr 16, 2013 at 12:06:47PM -0300, Ernesto Domato wrote:> > Ok, I''ll do this and will discuss with the Debian developers > responsible of the packaging of shorewall and openvswitch to agree on > the change in priority between both packages so this could be fixed. >Ernesto, I maintain the Debian Shorewall packages. I am happy to make the change, but it will have to wait until after the Wheezy release. The best thing would be if you could file a bug against the shorewall-init package so that I don''t forget about it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter