Hi Tom, I've tried the 'shorewall enable tun10' command and it populates the route for tun10 into the 'main' routing table, but not into the individual providers routing tables 'P_VSAT' and 'P_FB', so shorewall still returns the sfilter messages for return traffic on eth0 when I try to pass traffic from a client on tun10.
Nigel -----Original Message----- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: 29 February 2016 15:59 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall SFILTER issue with CoovaChilli configuration On 02/29/2016 04:11 AM, Nigel Quinn wrote: > Hi Tom, > > Just an update on the issue I've been experiencing. I tried with > conntrack and with the -p in the STARTOPTIONS, but I think the issue > isn't related to this as the dump was suggesting. I've attached a two > dumps, sorry if that too much info. The first dump was taken when > chilli and shorewall were working well together(no Sfilter messages), > and the second dump was taken when chilli and shorewall weren't > working well together (sfilter messages for both tcp/80 and udp53). There were no attachments. > > The sequence I've identified is this, and its only when I have Providers > configured in Shorewall: > 1) Chilli and Shorewall working well together > 2) Client connects to Chilli on tun10 and gets IP address of > 192.168.200.10, and is able to browse the internet > 3) I reboot the appliance > 4) Shorewall service starts (two Providers(VSAT and FB) configured, > tun10 defined in interfaces/zones) > 5) Chilli service starts > 6) Clients connects to Chilli on tun10 and gets IP address of > 192.168.200.10, and is not able to DNS resolve or browse the internet. > 7) Shorewall starts reporting sFilter messages for udp/53 and http/80 > > I can get this to work by either: > a) # shorewall restart > b) # shorewall safe-restart (and click either Y or N, as both work) > c) Change the service start order in Centos, so Chilli starts before > Shorewall > > So, the issue is caused when Chilli is started after Shorewall. The > tun10 interface does not exist before Chilli starts, so from the > dumps, it looks like Shorewall doesn't populate the tun10 subnet into > the Providers routing tables. > > So, where to from here? I could force shorewall to restart everytime > Chilli starts, but that's not desirable. You don't have to restart Shorewall -- you just need to: shorewall enable tun10 > Or I could leave the service > start order as Chilli, then Shorewall. But if Chilli crashes, then I > would need to restart the process and then restart Shorewall. > > I'm curious to know what part of the # shorewall safe-restart gets > this to work, even if I select 'N' to not accept the new > configuration, it still fixes the issue. > Routing cannot be configured for an interface that isn't up (or in your case doesn't even exist). By restarting or restoring Shorewall with the interface up, the policy routing for the interface is then configured correctly. As mentioned above, you can just use the 'enable' command to accomplish the same thing (assuming that you are running a version of Shorewall that supports the 'enable' commmand -- 4.4.26 or later). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
shorewall-2providers-notworking.log
Description: shorewall-2providers-notworking.log
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
