Discussion:
[Shorewall-users] after upgrade to SW 5.1.3, compile "Error: either "to" is duplicate, or "linkdown" is a garbage." ?
d***@123mail.org
2017-03-17 04:43:49 UTC
Permalink
After switching from SW 5.0.x to 5.1.3,

The prior change I'd made in providers

- ISP 1 0x100 main EXTIF detect track,balance INTIF
+ ISP 1 0x100 main EXTIF detect track,balance INTIF,WIFIUIF

now returns on compile

...
Setting up Proxy ARP...
Adding Providers...
Error: either "to" is duplicate, or "linkdown" is a garbage.
ERROR: Command "/sbin/ip -4 route add table ISP 10.0.1.0/24 dev wlan0 proto kernel scope link src 10.0.1.150 linkdown" Failed
Restoring Shorewall Lite...
...

Switching back to

- ISP 1 0x100 main EXTIF detect track,balance INTIF,WIFIUIF
+ ISP 1 0x100 main EXTIF detect track,balance INTIF

allows the compile to complete.

I saw reference to this for a very old version

"2012-08-20 Shorewall 4.5.7

----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

1) This release includes the defect repair from Shorewall 4.5.6.2.

2) The command 'shorewall enable pppX' could fail with the ip diagnostic

Error: either "to" is duplicate, or "weight" is a garbage.

Shorewall now generates the correct ip command."

But nothing yet more recent.

DT
Tom Eastep
2017-03-17 15:14:27 UTC
Permalink
Post by d***@123mail.org
After switching from SW 5.0.x to 5.1.3,
The prior change I'd made in providers
- ISP 1 0x100 main EXTIF detect track,balance INTIF + ISP 1
0x100 main EXTIF detect track,balance INTIF,WIFIUIF
now returns on compile
... Setting up Proxy ARP... Adding Providers... Error: either "to"
is duplicate, or "linkdown" is a garbage. ERROR: Command "/sbin/ip
-4 route add table ISP 10.0.1.0/24 dev wlan0 proto kernel scope
link src 10.0.1.150 linkdown" Failed Restoring Shorewall Lite...
...
Switching back to
- ISP 1 0x100 main EXTIF detect track,balance INTIF,WIFIUIF
+ ISP 1 0x100 main EXTIF detect track,balance INTIF
allows the compile to complete.
I saw reference to this for a very old version
"2012-08-20 Shorewall 4.5.7
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
Post by d***@123mail.org
----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall
4.5.6.2.
2) The command 'shorewall enable pppX' could fail with the ip
diagnostic
Error: either "to" is duplicate, or "weight" is a garbage.
Shorewall now generates the correct ip command."
But nothing yet more recent.
Is wlan0 up at the time that you do this? The reason that I ask is
that Shorewall itself never generates a command that includes
'linkdown', so this is obviously occurring while copying the WIFIUIF
routes from the main table to the ISP table.

Also, why are you using the USE_DEFAULT_RT=No setting? There are only
very rare instances where that setting is appropriate. Switching to
USE_DEFAULT_RT=Yes eliminates a lot of issues, including this one.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Tom Eastep
2017-03-17 15:33:23 UTC
Permalink
Post by Tom Eastep
Post by d***@123mail.org
After switching from SW 5.0.x to 5.1.3,
Is wlan0 up at the time that you do this? The reason that I ask is
that Shorewall itself never generates a command that includes
'linkdown', so this is obviously occurring while copying the
WIFIUIF routes from the main table to the ISP table.
Also, why are you using the USE_DEFAULT_RT=No setting? There are
only very rare instances where that setting is appropriate.
Switching to USE_DEFAULT_RT=Yes eliminates a lot of issues,
including this one.
Also, the code for copying routing tables is identical between 5.0.15
and 5.1.3. The last change made to that code was in 2014 which
predates Shorewall 5.0.0.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-17 15:40:06 UTC
Permalink
Tom
Post by Tom Eastep
Post by Tom Eastep
Is wlan0 up at the time that you do this? The reason that I ask is
that Shorewall itself never generates a command that includes
'linkdown', so this is obviously occurring while copying the
WIFIUIF routes from the main table to the ISP table.
wlan0 is sure *supposed* to be up.

It's brought up by the OS. Shorewall's controlled by systemd. The systemd unit waits for network-online.

Should I have SW manually check, and bring down/up the interface?
Post by Tom Eastep
Post by Tom Eastep
Also, why are you using the USE_DEFAULT_RT=No setting? There are
only very rare instances where that setting is appropriate.
Switching to USE_DEFAULT_RT=Yes eliminates a lot of issues,
including this one.
I'm know there was "a very good reason". I just can't find it in my notes :-/

Anyway I read now that

"USE_DEFAULT_RT is now the default and use of USE_DEFAULT_RT=No is deprecated."

So I'll get that fixed.
Post by Tom Eastep
Also, the code for copying routing tables is identical between 5.0.15
and 5.1.3. The last change made to that code was in 2014 which
predates Shorewall 5.0.0.
Strange. I never saw this until after that update. Since it causes a FAIL, I figure I would have noticed otherwise.

DT
d***@123mail.org
2017-03-17 16:18:08 UTC
Permalink
Post by d***@123mail.org
"USE_DEFAULT_RT is now the default and use of USE_DEFAULT_RT=No is deprecated."
So I'll get that fixed.
I switched to

USE_DEFAULT_RT=Yes

dealt with the

ERROR: Providers' interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes /usr/local/etc/sw/4/providers

ERROR: The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes /usr/local/etc/sw/4/providers

ERROR: The COPY column must be empty when USE_DEFAULT_RT=Yes /usr/local/etc/sw/4/providers

errors, and it's all back up & running again -- hostapd-attached devices have access they require!

Now I need to stare at the systemd dependency ordering in shorewall, hostapd & dhcpd unit files a bit!

DT
Tom Eastep
2017-03-17 16:30:34 UTC
Permalink
Post by d***@123mail.org
Tom
Post by Tom Eastep
Is wlan0 up at the time that you do this? The reason that I ask
is that Shorewall itself never generates a command that
includes 'linkdown', so this is obviously occurring while
copying the WIFIUIF routes from the main table to the ISP
table.
wlan0 is sure *supposed* to be up.
It's brought up by the OS.
wlan0 is also brought up indirectly by systemd -- check out the
'networking' unit.

Shorewall's controlled by systemd. The systemd unit waits for
network-online.
Post by d***@123mail.org
Should I have SW manually check, and bring down/up the interface?
I have seen cases where a link with active routes goes down, after
which 'ip route ls' shows the routes as 'linkdown'. So I am quite sure
that is what happened here. Given that there are other major issues
with USE_DEFAULT_RT=No (check the known problems on the Shorewall
site), I'm not inclined to try to do anything about this one.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-17 16:43:56 UTC
Permalink
Tom
Post by Tom Eastep
Post by d***@123mail.org
wlan0 is sure *supposed* to be up.
It's brought up by the OS.
wlan0 is also brought up indirectly by systemd -- check out the
'networking' unit.
Shorewall's controlled by systemd. The systemd unit waits for
network-online.
Yep, see that now.
Post by Tom Eastep
Post by d***@123mail.org
Should I have SW manually check, and bring down/up the interface?
I have seen cases where a link with active routes goes down, after
which 'ip route ls' shows the routes as 'linkdown'. So I am quite sure
that is what happened here. Given that there are other major issues
with USE_DEFAULT_RT=No (check the known problems on the Shorewall
site), I'm not inclined to try to do anything about this one.
Sure, makes sense. Especially if it's declared as deprecated not just an option.

I'll just keep an eye on the interface while I monkey around and see if I'm causing myself any problems.

DT
Tom Eastep
2017-03-17 16:44:56 UTC
Permalink
Post by Tom Eastep
I have seen cases where a link with active routes goes down, after
which 'ip route ls' shows the routes as 'linkdown'.
To be clear, this happens when the device is still configured but the
link layer is down. I haven't seen it with a wireless device, but
simply unplugging the cable from an ethernet adapter will produce this
case.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Loading...