Johann Spies wrote: > I have configured /etc/default/shorewall to wait for the ppp-interface > (adsl) before it starts. I have never needed to use this behavior. Shorewall works fine for me without it. Could you say for what reason you need it to wait for the interface? What problem is being solved by that action? > Sometimes the server boots and shorewall does not run at all. Could you investigate this problem further? If you find a problem with it then please file a bug report about it. Because it should definitely run reliably at system boot time. Works for me. > It seems that the wait_interface="ppp0" setting in /etc/default/shorewall > does not do the job properly. Let's take a look at that functionality. The logic there is easy to trace through. You know about /etc/default/shorewall. It documents a possible setting for wait_interface. This is used in the /etc/init.d/shorewall system startup script. Here are the important parts for that section. less /etc/init.d/shorewall WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup test -x $WAIT_FOR_IFUP || exit 0 wait_for_pppd () { if [ "$wait_interface" != "" ] then for i in $wait_interface do $WAIT_FOR_IFUP $i 90 done fi } shorewall_start () { echo -n "Starting \"Shorewall firewall\": " wait_for_pppd ... case "$1" in start) shorewall_start For each interface listed in the variable the script will wait for it to be up before the script will continue. It will do so using the /usr/share/shorewall/wait4ifup script. Let's look at it. less /usr/share/shorewall/wait4ifup interface_is_up() { [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] } I hate the hard coded full /sbin/ip and /bin/grep path. It should just call "ip" and "grep" plainly. Blech! I also hate the scripting style. But we won't get anywhere if I keep critiquing the style. In any case... Use "ip" to check if it lists an interface as "UP". If it is then return true otherwise false. timeout=$2 ... while [ $timeout -gt 0 ]; do interface_is_up $1 && exit 0 /bin/sleep 1 timeout=$(( $timeout - 1 )) done exit 1 For the specified 90 seconds start counting down every second and poll if "ip" returns "UP" for that interface each cycle through the loop. That is quite brute force for my taste. But it seems like it should work. If that isn't working for you could you look to see why? > How can I ensure that shorewall starts properly. In order to answer this you must say more details about how it isn't working properly. Because otherwise we can only say, works for me, and be at an impasse. I am sure that Shorewall has some error message saying why it isn't starting for you. I assume you edited the /etc/default/shorewall script and set startup=1 in that file? Because definitely if it is left at the default package value of startup=0 that shorewall will not start. Bob
Attachment:
signature.asc
Description: Digital signature