Hi, I am currently testing what will happen in error conditions. I noticed the following output (the error will happen because a used ipset in a rule doesn''t exist): # shorewall safe-restart Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... WARNING: Ipset test does not exist /etc/shorewall/rules (line 20) Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Generating Rule Matrix... Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.restart Currently-running Configuration Saved to /var/lib/shorewall/.safe Restarting... Restarting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... iptables-restore v1.4.17: Set test doesn''t exist. Error occurred at line: 104 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Restoring Shorewall... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... IPv4 Forwarding Enabled Processing /etc/shorewall/restored ... done. Shorewall restored from /var/lib/shorewall/.safe /usr/share/shorewall/lib.common: line 112: 9976 Terminated $SHOREWALL_SHELL $script $options $@ I am wondering about the last line: The script is catching previous errors and prints nice and readable output. The last line doesn''t fit into the previous picture. Is everything fine or is there a problem? Thanks. -- Regards, Igor ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
Tom Eastep
2013-Apr-22 13:35 UTC
Re: ''shorewall safe-restart'' ends with an error message?
On 04/22/2013 04:40 AM, Igor Sverkos wrote:> Hi, > > I am currently testing what will happen in error conditions. I noticed > the following output (the error will happen because a used ipset in a > rule doesn''t exist): > > # shorewall safe-restart > Compiling... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/rules... > WARNING: Ipset test does not exist /etc/shorewall/rules (line 20) > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Compiling /usr/share/shorewall/action.Reject for chain Reject... > Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... > Generating Rule Matrix... > Creating iptables-restore input... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Currently-running Configuration Saved to /var/lib/shorewall/.safe > Restarting... > Restarting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Proxy ARP... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > iptables-restore v1.4.17: Set test doesn''t exist. > > Error occurred at line: 104 > Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > Restoring Shorewall... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Proxy ARP... > IPv4 Forwarding Enabled > Processing /etc/shorewall/restored ... > done. > Shorewall restored from /var/lib/shorewall/.safe > /usr/share/shorewall/lib.common: line 112: 9976 Terminated > $SHOREWALL_SHELL $script $options $@ > > > I am wondering about the last line: The script is catching previous > errors and prints nice and readable output. The last line doesn''t fit > into the previous picture. > > Is everything fine or is there a problem?The ''restart'' failed but the firewall was restored to it''s original state from before the ''safe-restart'' attempt. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter