On 12/11/18 7:21 AM, Jesús Román wrote: > Hello. > > I am a Shorewall user and, as my knowledge of this code is tiny and I do > not know if this behavior might interfere with the function of the > firewall, I would like to report a strange behavior. > > I am using shorewall in a device running Linux 4.9 which has 3 interfaces. > > eth0 -> Interface attached to the LAN. > eth11 -> Port used by portable equipment to do maintenance > operations in the device. > wlan0 -> Wireless interface. > > The shorewall used is the release 5.1.1 > > I have observed that after the execution of a "shorewall restart" > command, the status of interfaces (shorewall -v status -i) does not > appear on the console. Only the status of the Disabled interfaces is > shown, in my case, eth11. > > Besides, the files: > > /var/lib/shorewall/<iface>.status > /var/lib/shorewall/undo_<iface>_routing > > have disappeared from the directory, except "eth11.status". > > Using the couple of commands "ifdown <iface>", "ifup <iface>", the > correspondent interface appears on the report of status but, when the > firewall is stopped and started again (or restarted), they disappear > from the report. > > Checking the setup of another different device I am using, I have > observed that it is working well, showing the status of all of its > interfaces defined in the firewall. The difference resides in this one > has 3 providers defined. > > Inspecting the code built by the compiler, I have seen that the behavior > is different when at least one interface is working as provider or not. > > Providers setup: The function "setup_routing_and_traffic_shaping" has 1 > line performing an "undo_routing" BEFORE starting providers and interfaces. > > No providers setup: The function "setup_routing_and_traffic_shaping" has > 2 lines performing an "undo_routing" and "restore_default_route" AFTER > starting interfaces. > > Should those lines be placed BEFORE starting interfaces when there are > no providers defined? > > Reviewing the code of Shorewall 4.4.0, this function is different but, > these 2 lines are placed in a different position near the beginning of > "setup_routing_and_traffic_shaping". > > As workaround, I have defined the wireless interface as provider but, as > I do not need Load Balancing neither Backup paths, I would prefer not to > do it. > > Could you check if I am right?
Yes, you are correct. Attached is a patch to 5.1.1: . /usr/share/shorewall/shorewallrc patch $PERLLIBDIR/Shorewall/Providers.pm < OPT_INTERFACES-5.1.1.patch A similar patch will be included in Shorewall 5.2.1.3. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
--- Providers.pm.orig 2018-12-11 09:09:58.490278322 -0800
+++ Providers.pm 2018-12-11 09:10:14.297222598 -0800
@@ -1861,14 +1861,14 @@
push_indent;
+ emit "\nundo_routing";
+ emit "restore_default_route $config{USE_DEFAULT_RT}";
+
if ( $pseudoproviders ) {
emit '';
emit "start_$providers{$_}->{what}_$_" for @providers;
}
- emit "\nundo_routing";
- emit "restore_default_route $config{USE_DEFAULT_RT}";
-
my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
if ( $config{NULL_ROUTE_RFC1918} ) {
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
