On 10/7/20 8:10 AM, Matt Darfeuille wrote: > On 10/7/2020 4:48 PM, Matt Darfeuille wrote: >> On 10/7/2020 4:27 PM, Simon Matter wrote: >>>>> On 10/6/20 8:50 AM, Matt Darfeuille wrote: >>>>>> On 10/6/2020 5:11 PM, Tom Eastep wrote: >>>>>>> On 10/6/20 7:33 AM, Simon Matter wrote: >>>>>>>>> On Tue, Oct 06, 2020 at 03:59:06PM +0200, Simon Matter wrote: >>>>>>>>>>>> Compilation will only happen when '/etc/shorewall' is modified. >>>>>>>>>>>> So if I'm not mistaking, updating the firewall will not trigger a >>>>>>>>>>>> recompilation. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Recompilation should occur if ANY file in ANY directory in >>>>>>>>>> $CONFIG_PATH >>>>>>>>>>> changes. Given that installing a new version updates >>>>>>>>>>> /usr/share/shorewall/, 'reload' after an update should force >>>>>>>>>>> re-compilation. >>>>>>>>>>> >>>>>>>>>>> I reproduced this problem using the tarball installers. >>>>>>>>>>> >>>>>>>>>>> Simon -- How did you upgrade? >>>>>>>>>> >>>>>>>>>> Dear Tom and all, >>>>>>>>>> >>>>>>>>>> For a test I've downgraded to shorewall-5.2.6.1 and saw the same >>>>>>>>>> behavior. >>>>>>>>> >>>>>>>>> Tom is asking *how* you upgraded/downgraded. >>>>>>>> >>>>>>>> As I said with my own RPMs, they are mentioned on >>>>>>>> https://shorewall.org/download.htm >>>>>>>> >>>>>>> >>>>>>> After 'reload' didn't recompile, I found that the mtime of >>>>>>> /var/lib/shorewall/firewall had been mysteriously updated to a time >>>>>>> after the upgrade. Have others noticed the same behavior? >>>>>>> >>>>>> >>>>>> I just installed SW 5.2.8 (core, shorewall, init) followed by >>>>>> 'shorewall >>>>>> update' and 'shorewall reload'. >>>>>> The below is after multiple 'shorewall update followed by reload'. >>>>>> >>>>>> /var/lib/shorewall# ls -l firewall && shorewall reload && ls -l >>>>>> firewall >>>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>>>> Reloading Shorewall.... >>>>>> Initializing... >>>>>> Processing /etc/shorewall/init ... >>>>>> [snip] >>>>>> Setting up Route Filtering... >>>>>> Setting up Martian Logging... >>>>>> Preparing iptables-restore input... >>>>>> Running /sbin/iptables-restore --wait 60... >>>>>> IPv4 Forwarding Enabled >>>>>> done. >>>>>> -rwx------ 1 root root 76618 Oct 6 17:33 firewall >>>>>> >>>>>> >>>>>> Do you want other test? >>>>>> >>>>> >>>>> What was the current time? Or, what was the output of 'ls -l >>>>> /usr/share/shorewall/? >>>> >>>> OK, found it in my case, it's coming from here: >>>> >>>> elif [ -z "$AUTOMAKE" ]; then >>>> if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" >>>> ]; then >>>> return 1; >>>> fi >>>> >>>> I had 5.2.7 installed and made some configuration changes, say in October. >>>> Then I upgraded to 5.2.8 with the RPM, which was built in September. >>>> >>>> So, the content in /usr/share/shorewall/ has mtimes in September, but my >>>> /var/lib/shorewall/firewall was created in October. >>>> >>>> Result: the 'find' above doesn't show anything newer than my >>>> /var/lib/shorewall/firewall and nothing is recompiled on reload. >>>> >>>> This affects my own RPMs but I guess the same is true for others too. >>>> >>>> I'm thinking about what the best fix is here. Maybe simply add a %post >>>> install script which does: >>>> >>>> mv -f /var/lib/shorewall[6]/firewall /var/lib/shorewall[6]/firewall.old >>>> >>>> Maybe we can discuss this here so all packages can use the same approach. >>> >>> I've added the following to the %post sections: >>> >>> if [[ -f %{_var}/lib/%{name}/firewall ]]; then >>> %{__mv} -f %{_var}/lib/%{name}/firewall >>> %{_var}/lib/%{name}/firewall.rpmold > /dev/null 2>&1 || : >>> fi >>> >>> and >>> >>> if [[ -f %{_var}/lib/%{name}6/firewall ]]; then >>> %{__mv} -f %{_var}/lib/%{name}6/firewall >>> %{_var}/lib/%{name}6firewall.rpmold > /dev/null 2>&1 || : >>> fi >>> >>> It works well now and always recompiles after an upgrade. >>> >>> It also adds some additional security because one can easily diff the >>> resulting configuration after an upgrade. >>> >> >> I'll commit that, and send it through this list for review. >> > > Attached is release-master-1-20.10.07.17.04.57-rfc.patch, which applies > Simon's suggestion. > > > Any feedback an testing is appriciated. >
This should be sent to the devel list as well -- that is the appropriate forum for discussing this type of issue. Also: It is my belief that few people use the RPMs released by shorewall.org. It is the responsibility of the distribution maintainers to implement a solution for their packages. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
