Discussion:
[Shorewall-users] Keep provider disabled after restart
Filippo Carletti
2016-09-28 17:34:55 UTC
Permalink
I can't find what I'm doing wrong, I can't observe the documented
behaviour of shorewall disable <provider>.

# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
# shorewall disable enp3s0
Provider adsl (1) stopped
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Disabled
# shorewall restart
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled

Log above using Shorewall-5.0.8.2, but I have the same problem with
Shorewall-4.6.4.3.

The changelog says:

Beginning with Shorewall 4.5.3.1:

- The 'disable' command stores a 1 in the interface's .status file.
- The .status file is ignored on 'enable' but not on 'start',
'restart', 'restore' and 'refresh'.

This means that a disabled interface can only be re-enabled using
the 'enable' command.

Some config details:
# tail -2 /etc/shorewall/providers
adsl 1 0x10000 - enp3s0 10.70.70.1 track,balance=100,persistent -
fibra 2 0x20000 - enp2s0 10.57.1.1 track,balance=1,persistent -
# grep RESTART /etc/shorewall/shorewall.conf
RESTART=reload


Any hint how to debug this?
Thanks.
--
Ciao,
Filippo

------------------------------------------------------------------------------
Tom Eastep
2016-09-29 02:25:34 UTC
Permalink
Post by Filippo Carletti
I can't find what I'm doing wrong, I can't observe the documented
behaviour of shorewall disable <provider>.
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
# shorewall disable enp3s0
Provider adsl (1) stopped
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Disabled
# shorewall restart
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
Log above using Shorewall-5.0.8.2, but I have the same problem with
Shorewall-4.6.4.3.
- The 'disable' command stores a 1 in the interface's .status file.
- The .status file is ignored on 'enable' but not on 'start',
'restart', 'restore' and 'refresh'.
This means that a disabled interface can only be re-enabled using
the 'enable' command.
# tail -2 /etc/shorewall/providers
adsl 1 0x10000 - enp3s0 10.70.70.1 track,balance=100,persistent -
fibra 2 0x20000 - enp2s0 10.57.1.1 track,balance=1,persistent -
# grep RESTART /etc/shorewall/shorewall.conf
RESTART=reload
Any hint how to debug this?
Do any of your extension scripts manipulate /var/lib/shorewall/*.status?

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2016-09-29 22:19:58 UTC
Permalink
Post by Tom Eastep
Post by Filippo Carletti
I can't find what I'm doing wrong, I can't observe the documented
behaviour of shorewall disable <provider>.
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
# shorewall disable enp3s0
Provider adsl (1) stopped
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Disabled
# shorewall restart
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
Log above using Shorewall-5.0.8.2, but I have the same problem with
Shorewall-4.6.4.3.
- The 'disable' command stores a 1 in the interface's .status file.
- The .status file is ignored on 'enable' but not on 'start',
'restart', 'restore' and 'refresh'.
This means that a disabled interface can only be re-enabled using
the 'enable' command.
# tail -2 /etc/shorewall/providers
adsl 1 0x10000 - enp3s0 10.70.70.1 track,balance=100,persistent -
fibra 2 0x20000 - enp2s0 10.57.1.1 track,balance=1,persistent -
# grep RESTART /etc/shorewall/shorewall.conf
RESTART=reload
Any hint how to debug this?
Do any of your extension scripts manipulate /var/lib/shorewall/*.status?
Nevermind -- this is definitely broken.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2016-09-30 15:58:45 UTC
Permalink
Post by Tom Eastep
Post by Tom Eastep
Post by Filippo Carletti
I can't find what I'm doing wrong, I can't observe the documented
behaviour of shorewall disable <provider>.
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
# shorewall disable enp3s0
Provider adsl (1) stopped
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Disabled
# shorewall restart
# shorewall status -i | grep Interface
Interface enp2s0 is Enabled
Interface enp3s0 is Enabled
Log above using Shorewall-5.0.8.2, but I have the same problem with
Shorewall-4.6.4.3.
- The 'disable' command stores a 1 in the interface's .status file.
- The .status file is ignored on 'enable' but not on 'start',
'restart', 'restore' and 'refresh'.
This means that a disabled interface can only be re-enabled using
the 'enable' command.
# tail -2 /etc/shorewall/providers
adsl 1 0x10000 - enp3s0 10.70.70.1 track,balance=100,persistent -
fibra 2 0x20000 - enp2s0 10.57.1.1 track,balance=1,persistent -
# grep RESTART /etc/shorewall/shorewall.conf
RESTART=reload
Any hint how to debug this?
Do any of your extension scripts manipulate /var/lib/shorewall/*.status?
Nevermind -- this is definitely broken.
It seems to be broken only for persistent providers, provided that you
have the correct 'isusable' script. If you run Debian or Ubuntu, you
will need to copy 'isusable' from
/usr/share/doc/shorewall-common/default-config to /etc/shorwall/.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Filippo Carletti
2016-10-06 12:51:54 UTC
Permalink
Post by Tom Eastep
Nevermind -- this is definitely broken.
Sorry for the late response, I just tested 5.0.12 and it fixes the
persistent providers scenario.
Thanks a lot, Tom.

Proof:

# shorewall disable fibra
Provider fibra (2) stopped
# shorewall status -i
Interface enp2s0 is Disabled
Interface enp3s0 is Enabled
# shorewall restart
...
Adding Providers...
WARNING: Interface enp2s0 is not usable -- Provider fibra (2) not Started
...
# shorewall status -i
Interface enp2s0 is Disabled
Interface enp3s0 is Enabled
--
Ciao,
Filippo
Tom Eastep
2016-10-06 14:41:54 UTC
Permalink
Post by Filippo Carletti
Post by Tom Eastep
Nevermind -- this is definitely broken.
Sorry for the late response, I just tested 5.0.12 and it fixes the
persistent providers scenario.
Thanks a lot, Tom.
Thanks for confirming, Filippo.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Continue reading on narkive:
Loading...