Re: libprocps3 procps update this morning causing shorewall/iptables routing problems.
(CC because I'm not sure whether you're subscribed)
On 23/05/18 11:36, Luke Hall wrote:>>> This morning a number of our
jessie firewall servers received these updates.
>>>
>>> 2018-05-23 06:53:20,879 INFO Allowed origins are:
>>> ['origin=Debian,codename=jessie,label=Debian-Security']
>>> 2018-05-23 06:53:23,120 INFO Packages that will be upgraded: libprocps3
>>> procps
>>> 2018-05-23 06:53:23,121 INFO Writing dpkg log to
>>> '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
>>> 2018-05-23 06:53:24,836 INFO All upgrades installed
>>>
>>> Those machines, all running shorewall 4.6.4.3-2 and the 3.16.0-4-amd64
>>> kernel stopped routing traffic through to hosts behind them and we found
>>> it necessary to restart shorewall for this to resume. I will do some
>>> further debugging this morning but I'm wondering if this affected anyone
>>> else.
Do you have a stray 'net.ipv4.ip_forward=0' or similar in
/etc/sysctl{.conf,.d}?
We also saw one instance of this problem, because the sysctls were
reloaded during the update and so forwarding became disabled. Restarting
shorewall of course fixes this by setting ip_forward back to 1.
All our other machines without ip_forward=0 in the configuration were
unaffected.
--
Jonathan Wiltshire
Red Hat Certified Engineer (#170-281-083)
Tiger Computing Ltd
ISO27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
Reply to: