Discussion:
[Shorewall-users] ERROR: Cannot restore /etc/shorewall-lite/state/restore-ipsets with Shorewall running: Firewall state not changed
Brian J. Murrell
2016-11-30 16:13:33 UTC
Permalink
Hi,

When I try to do a restore action with shorewall-lite 5.0.13.4 I get:

# /usr/sbin/shorewall-lite -qq restore
ipset v6.24: Element cannot be added to the set: it's already added
   ERROR: Cannot restore /etc/shorewall-lite/state/restore-ipsets with
Shorewall running: Firewall state not changed

This seems like new behavior and makes using ipsets quite a deal-
breaker. Not being able to reload the firewall on the router impacts a
lot of state-change problems on the router.

Maybe I have some kind of configuration set that is making this happen
and there is a way around it?

Cheers,
b.
Tom Eastep
2016-11-30 21:58:15 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
# /usr/sbin/shorewall-lite -qq restore ipset v6.24: Element cannot
be added to the set: it's already added ERROR: Cannot restore
Firewall state not changed
This seems like new behavior and makes using ipsets quite a deal-
breaker. Not being able to reload the firewall on the router
impacts a lot of state-change problems on the router.
Maybe I have some kind of configuration set that is making this
happen and there is a way around it?
This is the same behavior as on Shorewall and Shorewall6. If you have
SAVE_IPSETS configured and you want to restore an old config with the
firewall running, then you must first stop the current ruleset then
restore the old one.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYP0t3AAoJEJbms/JCOk0QR+sP/2ewF/25RPOv/uy9T/0pIvXX
CbkCuyaVlul/qHSt74KCUlv+JSPVj4zyNfEWTISVw79uelj2mMuZ/FSHNSCKz6iG
MmO33nfoENM3Lx5j7O4j+As5HRDs6aTx5PoR2ywxVsDDZChZfqRA6+6jicUmiU6n
ftbzj1S9vxmx68eaFkze2c7wFcRJakNvh8y/beiwow05AuCpFJjfTADLXFvMuxUL
fxK4XHB3b0EA6ZiYAgnCGs9URrT8gn7AVDs6951GdWnYewUqyTm/lzqhz7pOPjni
77BZoPoiy5reoRxEpPVRgh1iEOWLK+h1wMviVB1+MV0FstYVOj7Ocwk/caxKjmOK
tKSuXv+bUTgi3yldJGjhWxKLc9Xls3gXrls5WTr7oy7TQtDyCuBZczGudq7Andpg
rkAHUdEyhD1Z4Y2kJFNFtEd0fCOwdRmDf95rGu4e8Lb8PsBwEPryseqKm29KHSKn
cr6LJ38p6nRJT3qN3E7RBk7qpWqCaZDliilDgaoOovLVVxxLeMjw6JLVqd1FWKbX
/ybbiEs84MFrX0oEH2hsbMOrVSx/fzw8LaN5MhGz00IZbmrK5nk002RZO+gB3ZIu
4cDkZRrFfPgJ7f16Usq9mjn8iRVmMkEAJLtxnJfYhLfad+3wfE8LRrCvHBXgcERa
j/oFYNkLB89J4P3B8Y9T
=n449
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Brian J. Murrell
2016-12-02 16:45:03 UTC
Permalink
Post by Tom Eastep
This is the same behavior as on Shorewall and Shorewall6. If you have
SAVE_IPSETS configured and you want to restore an old config with the
firewall running,
Is the point here to prevent overwriting the current ipsets with old
ones?
Post by Tom Eastep
then you must first stop the current ruleset then
restore the old one.
So "shorewall-lite stop; shorewall-lite start" rather than "shorewall-
lite restore"?

Seems "shorewall-lite restart" suffices also, yes?

Cheers,
b.
Tom Eastep
2016-12-02 17:40:12 UTC
Permalink
Post by Brian J. Murrell
Post by Tom Eastep
This is the same behavior as on Shorewall and Shorewall6. If you
have SAVE_IPSETS configured and you want to restore an old config
with the firewall running,
Is the point here to prevent overwriting the current ipsets with
old ones?
Post by Tom Eastep
then you must first stop the current ruleset then restore the old
one.
So "shorewall-lite stop; shorewall-lite start" rather than
"shorewall- lite restore"?
Seems "shorewall-lite restart" suffices also, yes?
With RESTART=restart, those two options are the same. You can also use
'shorewall-lite reload'.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Brian J. Murrell
2016-12-02 18:39:13 UTC
Permalink
Post by Tom Eastep
With RESTART=restart,
So, on that note, it seems to me that RESTART=reload and
SAVE_IPSETS=Yes should be an error.

But RESTART= still doesn't alter the fact that "shorewall* reload"
won't work with SAVE_IPSETS=Yes. Should reload actually be restart
(behind the scenes) when SAVE_IPSETS=Yes so that reload can be done
without error or does that introduce too much nastiness and unexpected
behavior for user?
Post by Tom Eastep
those two options are the same. You can also use
'shorewall-lite reload'.
Maybe I am misunderstanding what you are saying, but I already have
"RESTART=restart" and "shorewall-lite reload" returns the error I
originally reported.

Cheers,
b.
Tom Eastep
2016-12-02 20:30:59 UTC
Permalink
Post by Brian J. Murrell
Post by Tom Eastep
With RESTART=restart,
So, on that note, it seems to me that RESTART=reload and
SAVE_IPSETS=Yes should be an error.
But RESTART= still doesn't alter the fact that "shorewall* reload"
won't work with SAVE_IPSETS=Yes. Should reload actually be
restart (behind the scenes) when SAVE_IPSETS=Yes so that reload
can be done without error or does that introduce too much nastiness
and unexpected behavior for user?
Post by Tom Eastep
those two options are the same. You can also use 'shorewall-lite
reload'.
Maybe I am misunderstanding what you are saying, but I already have
"RESTART=restart" and "shorewall-lite reload" returns the error I
originally reported.
You reported that *restore* returns an error, not *reload*, did you not?

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Brian J. Murrell
2016-12-02 21:12:34 UTC
Permalink
Post by Tom Eastep
You reported that *restore* returns an error, not *reload*, did you not?
Doh! You are correct. Too many "re-"s I guess.

So typically reload is preferable to restart, correct? Will reload
work even with SAVE_IPSETS?

Looking more closely at restore, that is probably not really what I
wanted to be using anyway. Perhaps.

Cheers,
b.
Tom Eastep
2016-12-02 21:18:49 UTC
Permalink
Post by Brian J. Murrell
Post by Tom Eastep
You reported that *restore* returns an error, not *reload*, did you not?
Doh! You are correct. Too many "re-"s I guess.
So typically reload is preferable to restart, correct?
Yes.
Post by Brian J. Murrell
Will reload work even with SAVE_IPSETS?
Yes.
Post by Brian J. Murrell
Looking more closely at restore, that is probably not really what
I wanted to be using anyway. Perhaps.
I suspect so. The 'restore' command is for instantiating a
configuration that was copied aside with the 'save' command.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2016-12-02 17:52:45 UTC
Permalink
Post by Brian J. Murrell
Post by Tom Eastep
This is the same behavior as on Shorewall and Shorewall6. If you
have SAVE_IPSETS configured and you want to restore an old config
with the firewall running,
Is the point here to prevent overwriting the current ipsets with
old ones?
The point is that the old ipset may have a different definition (set
type and/or options). Because the set it in-use, it cannot be deleted
and re-created with the correct type and options.

This problem is solvable using the 'ipset rename' command, but the
possible failure cases are somewhat daunting to handle.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Brian J. Murrell
2016-12-02 16:56:29 UTC
Permalink
Unfortunately it doesn't seem that when a shorewall-lite restore fails
due to ipsets being present, that shorewall-lite exits with an error:

# /usr/sbin/shorewall-lite restore
Restoring Shorewall Lite...
Initializing...
Processing init user exit ...
Creating any undefined ipsets...ipset v6.24: Element cannot be added to the set: it's already added

ERROR: Cannot restore /etc/shorewall-lite/state/restore-ipsets with Shorewall running: Firewall state not changed
Terminated
# echo $?
0

I guess the exit status of the 'restore' script in startup_error() is
not be propagated up to the main command.

Cheers,
b.
Tom Eastep
2016-12-02 17:40:36 UTC
Permalink
Post by Brian J. Murrell
Unfortunately it doesn't seem that when a shorewall-lite restore
fails due to ipsets being present, that shorewall-lite exits with
# /usr/sbin/shorewall-lite restore Restoring Shorewall Lite...
Initializing... Processing init user exit ... Creating any
it's already added
ERROR: Cannot restore /etc/shorewall-lite/state/restore-ipsets with
Shorewall running: Firewall state not changed Terminated # echo $?
0
I guess the exit status of the 'restore' script in startup_error()
is not be propagated up to the main command.
Will be corrected in 5.0.15.

Thanks,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...