Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shorewall providers configuration may remain dirty after removing a RED #6105

Closed
cotosso opened this issue Apr 2, 2020 · 10 comments
Closed

Shorewall providers configuration may remain dirty after removing a RED #6105

cotosso opened this issue Apr 2, 2020 · 10 comments
Labels
bug A defect of the software verified All test cases were verified successfully
Projects
NethServer 7

Comments

@cotosso
Copy link

cotosso commented Apr 2, 2020

Providers configuration known by shorewall may be wrong after removing a RED from the MultiWAN.

These are the 2 right working configurations written here as references:

One RED Only

[root@test ~]# shorewall status -i
Shorewall-5.1.10.2 Status at test.s60plus.davide - Thu Mar 26 12:04:32 CET 2020

Shorewall is running
State:Started Thu Mar 26 09:57:17 CET 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Thu Mar 26 09:57:07 CET 2020 by Shorewall version 5.1.10.2)

2 or more RED

[root@test ~]# shorewall status -i
Shorewall-5.1.10.2 Status at test.s60plus.davide - Thu Mar 26 12:05:32 CET 2020

Shorewall is running
State:Started Thu Mar 26 12:04:46 CET 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Thu Mar 26 12:04:43 CET 2020 by Shorewall version 5.1.10.2)

   Interface enp4s0 is Enabled
   Interface enp6s0 is Enabled

Steps to reproduce

  • Configure a NethServer with 2 RED interfaces
  • Remove a RED
  • give the command: shorewall status -i

Expected behavior

[root@test ~]# shorewall status -i
Shorewall-5.1.10.2 Status at test.s60plus.davide - Thu Mar 26 12:04:32 CET 2020

Shorewall is running
State:Started Thu Mar 26 09:57:17 CET 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Thu Mar 26 09:57:07 CET 2020 by Shorewall version 5.1.10.2)

Actual behavior

[root@test ~]# shorewall status -i
Shorewall-5.1.10.2 Status at test.s60plus.davide - Thu Mar 26 12:07:16 CET 2020

Shorewall is running
State:Started Thu Mar 26 12:06:42 CET 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Thu Mar 26 12:06:38 CET 2020 by Shorewall version 5.1.10.2)

   Interface enp4s0 is Disabled

enp4s0 is the interface of the WAN I removed

Components

NethServer release 7.7.1908 (final)

nethserver-base-3.7.5-1.ns7.noarch
nethserver-firewall-base-3.8.8-1.ns7.noarch
nethserver-firewall-base-ui-3.8.8-1.ns7.noarch
@cotosso cotosso added the bug A defect of the software label Apr 2, 2020
@gsanchietti
Copy link
Member

gsanchietti commented Apr 2, 2020
edited

It seems this should be already fixed: NethServer/nethserver-firewall-base#131

The cleanup happens on firewall-adjust event.

@cotosso
Copy link
Author

cotosso commented Apr 2, 2020

Unfortunately after removing the RED there are still files not deleted in the /var/lib/shorewall

[root@test ~]# ll /var/lib/shorewall/
total 148
-rw-------  1 root root      2 Mar 26 12:05 enp4s0_disabled
-rw-------  1 root root      2 Mar 26 12:05 enp4s0.status
-rw-------  1 root root      2 Mar 26 12:04 enp4s0_weight
-rw-------  1 root root      2 Mar 26 12:04 enp6s0_weight
-rwx------. 1 root root 111550 Mar 26 12:06 firewall
-rw-------. 1 root root    219 Mar 26 12:06 marks
-rw-------  1 root root      0 Mar 26 12:06 nat
-rw-------. 1 root root   1689 Mar 26 12:06 policies
-rw-------  1 root root      0 Mar 26 12:06 proxyarp
-rw-------. 1 root root     29 Mar 26 12:06 restarted
-rw-------. 1 root root     58 Mar 26 12:06 state
-rw-------. 1 root root    191 Mar 26 12:06 zones

@gsanchietti
Copy link
Member

gsanchietti commented Apr 2, 2020
edited

I can't reproduce by removing the interface.

Do you mean just cleaning up the role? So the interface changes its role from red to empty?

@cotosso
Copy link
Author

cotosso commented Apr 2, 2020

Yes, I do "Release Role" from web interface.
The interface is still physically present, but not assigned to any role.

@gsanchietti gsanchietti mentioned this issue Apr 3, 2020
Merged
gsanchietti added a commit to NethServer/nethserver-firewall-base that referenced this issue Apr 3, 2020
@gsanchietti
providers: cleanup stale status (#138)
291e614 
Delete also the status referring to existing
network interface but with a non-red role.

NethServer/dev#6105
@nethbot
Copy link
Member

nethbot commented Apr 3, 2020

in 7.7.1908/testing:

@gsanchietti
Copy link
Member

Test case
Check the bug is not reproducible

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Apr 3, 2020
@cotosso
Copy link
Author

cotosso commented Apr 6, 2020

  • I upgraded firewall-base packages:
[root@test ~]# rpm -qa | grep firewall-base
nethserver-firewall-base-ui-3.8.8-1.2.g291e614.ns7.noarch
nethserver-firewall-base-3.8.8-1.2.g291e614.ns7.noarch
  • I created a new red role on interface enp4s0
  • I removed Red role on interface enp4s0 via web interface (release role)
  • Shorewall status now is correct:
[root@test ~]# shorewall status -i
Shorewall-5.1.10.2 Status at test.s60plus.davide - Mon Apr  6 09:56:44 CEST 2020

Shorewall is running
State:Started Mon Apr  6 09:55:12 CEST 2020 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Mon Apr 6 09:55:10 CEST 2020 by Shorewall version 5.1.10.2)
  • the directory /var/lib/shorewall seems to remain dirty (there is also some reference to enp3s0, that I previously used for tests)
[root@test ~]# ll /var/lib/shorewall/
total 148
-rw-------  1 root root      2 Apr  2 10:25 enp3s0_disabled
-rw-------  1 root root      2 Apr  2 10:25 enp3s0_weight
-rw-------  1 root root      2 Apr  6 09:53 enp4s0_disabled
-rw-------  1 root root      2 Apr  6 09:53 enp4s0_weight
-rw-------  1 root root      2 Apr  6 09:53 enp6s0_weight
-rwx------. 1 root root 108133 Apr  6 09:55 firewall
-rw-------. 1 root root    219 Apr  6 09:55 marks
-rw-------  1 root root      0 Apr  6 09:55 nat
-rw-------. 1 root root   1689 Apr  6 09:55 policies
-rw-------  1 root root      0 Apr  6 09:55 proxyarp
-rw-------. 1 root root     30 Apr  6 09:55 restarted
-rw-------. 1 root root     59 Apr  6 09:55 state
-rw-------. 1 root root    191 Apr  6 09:55 zones

@gsanchietti
Copy link
Member

Dirty files can be left in place, shorewall will override them when needed.

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Apr 6, 2020
@DavidePrincipi DavidePrincipi added this to ⚙ Developing in NethServer 7 Apr 7, 2020
@nethbot
Copy link
Member

nethbot commented Apr 7, 2020

in 7.7.1908/updates:

NethServer 7 automation moved this from ⚙ Developing to 🗑 Done Apr 7, 2020
@cotosso
Copy link
Author

cotosso commented Apr 23, 2020

The problem is still present with a PPPOE connection, but this case should be rare and the fix is very easy:

rm -f /var/lib/shorewall/ppp0*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A defect of the software verified All test cases were verified successfully
Projects
No open projects
NethServer 7
🗑 Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsanchietti @cotosso @nethbot