Discussion:
[Shorewall-users] Shorewall 5.1.2.4
Tom Eastep
2017-03-12 19:40:11 UTC
Permalink
Shorewall 5.1.2.4 is now available for download.

Problems corrected:

1) The documentation for 'reload' has been corrected:

- A command synopsis has been added in shorewall(8).
- The command synopsis in the 'help' output has been corrected.

2) The CONFIG_PATH setting has been corrected in the IPv6 Universal
sample configuration.

3) In shorewall[6].conf, some instances of $LOG_LEVEL might not be
correctly expanded previously (some expansions may be empty). That
has been corrected.

Thank you for using Shorewall,

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Scott Beane
2017-03-13 01:16:20 UTC
Permalink
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
Tuomo Soini
2017-03-13 07:47:05 UTC
Permalink
On Sun, 12 Mar 2017 21:16:20 -0400
Shorewall version =  shorewall-5.1.2.1-1.el7.noarch
uname = 3.10.0-514.10.2.el7.x86_64
Tied 2 of 3 interfaces together using "Channel Bonding" described at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s2-modules-bonding.html
[not to be confused with Bridging] Shorewall blocks everything on the
bonded interfaces. Can't even get a ping through with Ping(ACCEPT)
all     all.
mails           enp5s0
logmartians=1,arp_filter,arp_ignore=2,nosmurfs,tcpflags,blacklist
loc             bond0,enp4s0f+          nosmurfs,tcpflags
Bonding is very similar to bridging in one thing. When you do bonding
you can't use interfaces which are part of bond0 interface at all any
more.

Another problem with your configuration is you are using rhel4
documentation for rhel7. You should read rhel7 documentation which
suggests using more modern team driver instead of bonding.

When you start to use bonding it's default mode is round-robin
- that will not work with your switch if it hasn't been configured for
it, most switches can't be configured for round-robin at all.

You left out all important data from this report, that is bonding
configuration and ip addr list output of your interfaces, together with
output of cat /proc/net/bonding/bond0.
Appears that shorewall is not playing nice with the bonding
configuration hardwired
into /etc/sysconfig/network-scripts/ifcfg-bond0 and the two
interfaces. Technically, the interfaces are each a "slave" of the
master "bond0" with the slaves loosing their IP Address to the bond0
and only one address is assigned. I am guessing that shorewall is
reading the ifcfg-enp4s0f* files directly rather that after the bond
is set up???
Shorewall only knows of what you have configured, shorewall doesn't
read ifcfg files. If you configure bonding, leave slave interfaces out
from shorewall configuration, they are not used any more.
--
Tuomo Soini <***@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Scott Beane
2017-03-13 23:42:31 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Tuomo Soini
2017-03-14 11:21:19 UTC
Permalink
On Mon, 13 Mar 2017 19:42:31 -0400
Bonding is working a little slowly with some applications like ssh
where she will hang for 5 seconds. Considering I have bonded two 10G
NICs and everything else it 1G, I was expecting a big improvement,
not yet...
That means you have some problems. When bonding is working it doesn't
cause any delays.
My initial options are: BONDING_OPTS="mode=4 miimon=100 downdelay=300
updelay=300 arp_interval=0"
Note that I am not using round-robbin, rather "mode=4" sets an IEEE
802.3ad dynamic link aggregation policy which my router supports/is
configured.
It's not about router - it's about switch your server is connected to.
Switch must support 802.3ad for bonding to work. Only active-backup
mode works with every switch without problems.
--
Tuomo Soini <***@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Continue reading on narkive:
Loading...