Johann Spies wrote:
> I have configured /etc/default/shorewall to wait for the ppp-interface
> (adsl) before it starts.
I have never needed to use this behavior. Shorewall works fine for me
without it. Could you say for what reason you need it to wait for the
interface? What problem is being solved by that action?
> Sometimes the server boots and shorewall does not run at all.
Could you investigate this problem further? If you find a problem
with it then please file a bug report about it. Because it should
definitely run reliably at system boot time. Works for me.
> It seems that the wait_interface="ppp0" setting in /etc/default/shorewall
> does not do the job properly.
Let's take a look at that functionality. The logic there is easy to
trace through. You know about /etc/default/shorewall. It documents a
possible setting for wait_interface. This is used in the
/etc/init.d/shorewall system startup script. Here are the important
parts for that section.
less /etc/init.d/shorewall
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
test -x $WAIT_FOR_IFUP || exit 0
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
fi
}
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
...
case "$1" in
start)
shorewall_start
For each interface listed in the variable the script will wait for it
to be up before the script will continue. It will do so using the
/usr/share/shorewall/wait4ifup script. Let's look at it.
less /usr/share/shorewall/wait4ifup
interface_is_up() {
[ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
}
I hate the hard coded full /sbin/ip and /bin/grep path. It should
just call "ip" and "grep" plainly. Blech! I also hate the scripting
style. But we won't get anywhere if I keep critiquing the style. In
any case... Use "ip" to check if it lists an interface as "UP". If
it is then return true otherwise false.
timeout=$2
...
while [ $timeout -gt 0 ]; do
interface_is_up $1 && exit 0
/bin/sleep 1
timeout=$(( $timeout - 1 ))
done
exit 1
For the specified 90 seconds start counting down every second and poll
if "ip" returns "UP" for that interface each cycle through the loop.
That is quite brute force for my taste. But it seems like it should
work. If that isn't working for you could you look to see why?
> How can I ensure that shorewall starts properly.
In order to answer this you must say more details about how it isn't
working properly. Because otherwise we can only say, works for me,
and be at an impasse. I am sure that Shorewall has some error message
saying why it isn't starting for you.
I assume you edited the /etc/default/shorewall script and set
startup=1 in that file? Because definitely if it is left at the
default package value of startup=0 that shorewall will not start.
Bob
Attachment:
signature.asc
Description: Digital signature